b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n      Information Technology Management Letter \n\n                    for the FY 2008 \n\n            Customs and Border Protection \n\n               Financial Statement Audit \n\n                      (Redacted) \n\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public\n release. A review under the Freedom of Information Act will be conducted upon request.\n\n\n\n\nOIG-09-59                                                                                         April 2009\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 25028\n\n\n\n\n                                   April 16, 2009\n\n                                      Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the\nInspector General Act of 1978. This is one of a series of audit, inspection, and special reports\nprepared as part of our oversight responsibilities to promote economy, efficiency, and\neffectiveness within the department.\n\nThis report presents the information technology (IT) management letter for the FY 2008\nCustoms and Border Protection (CBP) balance statement audit as of September 30, 2008. It\ncontains observations and recommendations related to information technology internal control\nthat were not required to be reported in the financial statement audit report (OIG-09-09,\nNovember 2008) and represents the separate restricted distribution report mentioned in that\nreport. The independent accounting firm KPMG LLP (KPMG) performed the audit of CBP\xe2\x80\x99s\nFY 2008 financial statements and prepared this IT management letter. KPMG is responsible\nfor the attached IT management letter dated December 4, 2008, and the conclusions expressed\nin it. We do not express opinions on CBP\xe2\x80\x99s financial statements or internal control or make\nconclusions on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We trust\nthis report will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\n\nDecember 4, 2008\n\nInspector General\nU.S. Department of Homeland Security\n\nCommissioner\nU.S. Customs and Border Protection\n\nChief Information Officer\nU.S. Customs and Border Protection\n\nWe have audited the consolidated balance sheets of the U.S. Department of Homeland Security\xe2\x80\x99s\n(DHS) Customs and Border Protection (CBP) as of September 30, 2008 and 2007, and related\nconsolidated statements of net cost, changes in net position, custodial activity and the combined\nstatement of budgetary resources (hereinafter, referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for\nthe years then ended. In planning and performing our audit of CBP\xe2\x80\x99s consolidated financial\nstatements, we considered CBP\xe2\x80\x99s internal control over financial reporting in order to determine our\nauditing procedures for the purpose of expressing our opinion on the consolidated financial statements.\n\nIn connection with our fiscal year 2008 audit, we considered CBP\xe2\x80\x99s internal control over financial\nreporting by obtaining an understanding of CBP\xe2\x80\x99s internal controls, determining whether internal\ncontrols had been placed in operation, assessing control risk, and performing tests of controls in order\nto determine our procedures. We limited our internal control testing to those controls necessary to\nachieve the objectives described in Government Auditing Standards and OMB Bulletin No. 07-04,\nAudit Requirements for Federal Financial Statements. We did not test all internal controls relevant to\noperating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\n(FMFIA). The objective of our engagement was not to provide an opinion on the effectiveness of\nCBP\xe2\x80\x99s internal control over financial reporting. Accordingly, we do not express an opinion on the\neffectiveness of CBP\xe2\x80\x99s internal control over financial reporting.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination of\ncontrol deficiencies, that adversely affects CBP\xe2\x80\x99s ability to initiate, authorize, record, process, or\nreport financial data reliably in accordance with U.S. generally-accepted accounting principles such\nthat there is more than a remote likelihood that a misstatement of CBP\xe2\x80\x99s financial statements that is\nmore than inconsequential will not be prevented or detected by CBP\xe2\x80\x99s internal control over financial\nreporting. A material weakness is a significant deficiency, or combination of significant deficiencies,\nthat results in more than a remote likelihood that a material misstatement of the financial statements\nwill not be prevented or detected by CBP\xe2\x80\x99s internal controls.\n\n\n\n                                  KPMG LLP, a U S limited liability partnership, is the U S\n                                  member firm of KPMG International, a Swiss cooperative\n\x0cWe noted certain matters involving internal control and other operational matters with respect to\ninformation technology that are summarized in the Information Technology Management Letter\nstarting on page 1. These comments contribute to the significant deficiency presented in our\nIndependent Auditors\xe2\x80\x99 Report, dated November 15, 2008, and represent the separate restricted\ndistribution report mentioned in that report.\n\nThe comments described herein have been discussed with the appropriate members of management\nthrough a Notice of Finding and Recommendation (NFR); and are intended For Official Use Only.\nWe aim to use our knowledge of CBP\xe2\x80\x99s organization gained during our audit engagement to make\ncomments and suggestions that we hope will be useful to you. We have not considered internal control\nsince the date of our Independent Auditors\xe2\x80\x99 Report.\n\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key financial systems and information technology infrastructure within the\nscope of the FY 2008 CBP financial statement audit is provided in Appendix A, a description of each\ninternal control finding is provided in Appendix B, and the current status of the prior year NFRs is\npresented in Appendix C.\n\nThis report is intended for the information and use of DHS and CBP management, the DHS Office of\nInspector General, the U.S. Office of Management and Budget, the U.S. Congress, and the\nGovernment Accountability Office, and is not intended to be and should not be used by anyone other\nthan these specified parties.\n\nVery truly yours,\n\x0c                                  U.S. Customs and Border Protection\n                              Information Technology Management Letter\n                                          September 30, 2008\n\n\n\n\n                 INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                     TABLE OF CONTENTS\n                                                                                                Page\n\nObjective, Scope and Approach                                                                    1\n\n\nSummary of Findings and Recommendations                                                          3\n\n\nIT General Controls Findings by Audit Area                                                       4\n\n\n         Access Controls                                                                         4\n\n\n         Application Software Development and Change Controls                                    7\n\n\n         System Software                                                                         7\n\n\n         Entity-Wide Security Program Planning and Management                                    7\n\n\n         Service Continuity                                                                      7\n\n\n         Segregation of Duties                                                                   7\n\n\nApplication Control Findings                                                                     12\n\n\nManagement Comments and OIG Response                                                             13\n\n\n                                           APPENDICES\n\nAppendix                                         Subject                                        Page\n\n             Description of Key Financial Systems and IT Infrastructure within the Scope of \n\nA                                                                                                14\n             the FY 2008 CBP Financial Statement Audit\n\nB            FY 2008 Notices of IT Findings and Recommendations                                  16\n\n\n             Status of Prior Year Notices of Findings and Recommendations and Comparison \n\nC                                                                                                30\n             to Current Year Notices of Findings and Recommendations\n\n\nD            Management\xe2\x80\x99s Response to the Draft CBP IT Management Letter                         33\n\n\n\n\n\n                                              3\n\n    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\n\x0c                                 U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                         September 30, 2008\n\n\n                             OBJECTIVE, SCOPE AND APPROACH\n\nWe have audited the consolidated balance sheets of the U.S. Department of Homeland Security\xe2\x80\x99s\n(DHS) Customs and Border Protection (CBP) as of September 30, 2008 and 2007, and related\nconsolidated statements of net cost, changes in net position, custodial activity and the combined\nstatement of budgetary resources (hereinafter, referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for\nthe years then ended. The overall objective of our audit was to evaluate the effectiveness of IT general\ncontrols of CBP\xe2\x80\x99s financial processing environment and related IT infrastructure as necessary to\nsupport the audit. The Federal Information System Controls Audit Manual (FISCAM), issued by the\nGovernment Accountability Office, formed the basis of our audit. The scope of the IT general\ncontrols assessment included testing at CBP\xe2\x80\x99s Office of Information Technology (OIT) and other\noffices related to the IT general controls portion of the financial statement audit.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent\nof review that generally should be performed when evaluating general controls and the IT environment\nof a federal agency. FISCAM defines the following six control functions to be essential to the\neffective operation of the general IT controls environment.\n\n\xef\xbf\xbd\t Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a\n   framework and continuing cycle of activity for managing risk, developing security policies,\n   assigning responsibilities, and monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n   disclosure.\n\xef\xbf\xbd\t Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n   implementation of unauthorized programs or modifications to existing programs.\n\xef\xbf\xbd\t System software (SS) Controls \xe2\x80\x93 Controls that limit and monitor access to powerful programs that\n   operate computer hardware and secure applications supported by the system.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations,\n   thus deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices, as well as testing of key financial application controls. The technical\nsecurity testing was performed from within select CBP facilities, and focused on test, development,\nand production devices that directly support CBP financial processing and key general support\nsystems.\n\n\n\n\n                                           1\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                  U.S. Customs and Border Protection\n                              Information Technology Management Letter\n                                          September 30, 2008\n\n\n\nIn addition to testing CBP\xe2\x80\x99s general control environment, we performed application control tests on a\nlimited number of CBP financial systems and applications. The application control testing was\nperformed to assess the controls that support the financial systems\xe2\x80\x99 internal controls over the input,\nprocessing, and output of financial data and transactions.\n\n\xef\xbf\xbd\t           Application Controls (APC) - Application controls are the structure, policies, and\n     procedures that apply to separate, individual application systems, such as accounts payable,\n     inventory, payroll, grants, or loans.\n\n\n\n\n                                           2\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                 U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                         September 30, 2008\n\n\n                    SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nFinancial IT systems security is essential to achieving effective, reliable reporting of financial and\nperformance data. As a part of our engagement to perform the financial statement audit, we performed\nan evaluation of the general controls over significant CBP financial IT systems. Effective general\ncontrols are typically defined by the GAO\xe2\x80\x99s FISCAM, in six key control areas: entity-wide security\nprogram planning and management, access control, application software development and change\ncontrol, system software, segregation of duties, and service continuity. In addition to general controls,\nfinancial systems contain application controls, which are the structure, policies, and procedures that\napply to use, operability, interface, edit and monitoring controls of an application. We tested various\napplication controls of key CBP financial systems as part of our IT audit test work.\n\nDuring fiscal year (FY) 2008, CBP took corrective action to address prior year IT control weaknesses.\nFor example, CBP made improvements in how they track the hiring, termination and systems access\nof contracted employees within the Office of Information Technology (OIT). Also, issues with the\ntracking of backup tapes and their location were addressed, as well as issues surrounding the\nmanagement review of control overrides performed in the\nHowever, during FY 2008, we continued to identify IT general control weaknesses at CBP. The most\nsignificant weaknesses, from a financial statement audit perspective, related to controls over access to\nprograms and data. Collectively, the IT control weaknesses limited CBP\xe2\x80\x99s ability to ensure that\ncritical financial and operational data were maintained in such a manner to ensure confidentiality,\nintegrity, and availability. In addition, these weaknesses negatively impacted the internal controls\nover CBP financial reporting and its operation and we consider them to collectively represent a\nsignificant deficiency for CBP under standards established by the American Institute of Certified\nPublic Accountants (AICPA). The information technology findings were combined into one\nsignificant deficiency regarding Information Technology for the FY 2008 audit of the CBP\nconsolidated financial statements.\n\nAlthough we noted improvement, many of the conditions identified at CBP in FY 2007 have not been\ncorrected because CBP still faces challenges related to the merging of numerous IT functions,\ncontrols, processes, and organizational resource shortages. During FY 2008, CBP took steps to\naddress these conditions. Despite these improvements, CBP needs further emphasis on the monitoring\nand enforcement of access controls. CBP needs to further emphasize the importance of developing\nand implementing well-documented procedures at the system and entity-level. Many of the issues\nidentified during our review, which were also identified during FY 2007 and prior, can be addressed\nthrough a more consistent application of DHS and CBP policies for IT controls.\n\nWhile the recommendations made by KPMG should be considered by CBP, it is the ultimate\nresponsibility of CBP management to determine the most appropriate method(s) for addressing the\nweaknesses identified based on their system capabilities and available resources.\n\n\n\n\n                                           3\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                        September 30, 2008\n\n\n                        IT GENERAL CONTROL FINDINGS BY AREA\n\nConditions: In FY 2008, the following IT and financial system control weaknesses were identified at\nCBP. Many of the issues identified during our FY 2008 engagement were also identified during FY\n2007. The following IT and financial system control weaknesses result in IT being reported as\ncontributing to a significant deficiency for financial system security.\n\n\n1.\t Access controls \xe2\x80\x93 we noted:\n   \xef\xbf\xbd\t Some active connections to        do not have documented interconnection security agreements\n      (ISA) in place;\n\n   \xef\xbf\xbd\t CBP does not maintain a centralized listing of contract personnel, including employment\n      status. Currently, CBP only maintains contractor information for OIT contractors. While this\n      is a majority of CBP contractors, it does not include all CBP contractors. Additionally, as a\n      result of additional test work, we noted data validity issues in the                          ;\n\n   \xef\xbf\xbd\t CBP workstation policy for screensavers is not appropriately implemented. Specifically we\n      noted that the configuration of a password-protected screensaver can be modified by the user,\n      allowing that user to remove the password requirement and also disabling the screensaver\n      completely;\n\n   \xef\xbf\xbd\t The following issues in regard to                         for the\n                                  :\n              o\t A solution has been implemented to track and monitor security and audit related\n                 activity but has not been operational for the entire fiscal year;\n              o\t There is a configuration weakness for capturing security and audit related activity\n                 in the                             Protection application. The configuration has\n                 changed on multiple occurrences in regards to tracking activity for the \xe2\x80\x98        to\n                          \xe2\x80\x99 field in FY 2008; and\n              o\t There is no defined method to generate and review security audit logs for security\n                 violations.\n\n   \xef\xbf\xbd\t CBP implemented a script to disable accounts after thirty days of inactivity. However, the\n      script was not functioning appropriately for most of the fiscal year and was only remedied\n      during the third quarter of FY 2008;\n\n   \xef\xbf\xbd\t A total of 10 mainframe audit logs were not available for the following dates: November 12,\n      2007, February 22, 2008, and March 7, 2008. For November 12, 2007, logs were not available\n      for                                                         , and               . For February\n      22, 2008, logs were not available for the                 and                . For March 7, 2008,\n      logs were not available for                            , and               . It was further noted\n      that all mainframe audit and system utility logs that went digital after April 1, 2008 were\n      available for review;\n\n   \xef\xbf\xbd        has been adjusted to limit active temporary and/or emergency access to 24 hours after the\n       request. It was noted, however, that the emergency table is still in use. Further, administrator\n       or supervisory approval is not required each time temporary or emergency access is activated.\n\n                                           4\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                        September 30, 2008\n\n\n      Also, Information System Security Manager (ISSM) approval is not required, conflicting with\n      DHS policy;\n\n  \xef\xbf\xbd\t There are currently no procedures in place for the completion of semi-annual recertifications of\n     the            accounts. KPMG also notes that a recertification of the             accounts is\n     not performed on a semi-annual basis;\n\n  \xef\xbf\xbd\t When changes to a user\xe2\x80\x99s access are performed in       the log of these events is not regularly\n     reviewed by personnel independent from those individuals that initiated the changes. It was\n     further noted that logs from March 2008 through July 2008 have not been reviewed by the\n           Information System Security Officer (ISSO) or an independent reviewer;\n\n  \xef\xbf\xbd   Out of 25 dates selected for review, six            security violation report reviews were not\n      available;\n\n  \xef\xbf\xbd\t Authorizations are not being maintained for personnel that have administrator access to the\n                            access control program. Additionally, it was noted in FY 2008 that\n     access requests for new mainframe                                     are requested and\n     approved verbally;\n\n  \xef\xbf\xbd\t Access request forms were not available for review for three accounts created by the\n          administrators during FY 2008;\n\n  \xef\xbf\xbd\t CBP-241 Employee Separation Forms are not completed consistently, with employee and/or\n     supervisor signature missing from 7 of the 25 separated employees selected;\n\n  \xef\xbf\xbd   Formal procedures do not exist for the               security violation log review process. It was\n      further noted that informal procedures are used by the network security specialist to inspect the\n      security violation log for suspicious activity and to document the review;\n\n  \xef\xbf\xbd   Formal procedures do not exist for the review process of             audit and\n          . It was further noted that informal procedures are used by the            ISSOs to\n      inspect logs for suspicious and unusual activity and to document the review;\n\n  \xef\xbf\xbd\t The special characters requirement under password complexity was not appropriately\n     configured for\n\n  \xef\xbf\xbd\t Access authorizations for emergency and temporary access to\n                     are not approved by the ISSM, as required by DHS policy;\n\n  \xef\xbf\xbd\t A Customs Directive was provided as separation procedures for contractors and this directive\n     was dated September 2001. The directive references Treasury policies as source\n     documentation. This directive is out of date, as CBP is no longer a part of the Department of\n     Treasury. Additionally, CBP-242 contractor separation forms are not completed consistently\n     for separating CBP contractors. Specifically, it was noted that all forms for selected separated\n     contractors were completed; however, 6 of the selected 25 separated contractors\xe2\x80\x99 forms were\n     completed at least one month after the individual separated from CBP;\n\n  \xef\xbf\xbd\t Non-disclosure agreements (NDAs) are not consistently mandated for CBP contractors;\n\n                                          5\n\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit \n\n\x0c                               U.S. Customs and Border Protection\n                           Information Technology Management Letter\n                                       September 30, 2008\n\n\n\n  \xef\xbf\xbd\t The parameters for the             audit and                    (\n                                                                  ) are not configured to collect\n     appropriate data. KPMG further noted that three out of the six\n                                                                do not produce any data in the log;\n\n  \xef\xbf\xbd\t CBP does not currently require individuals to sign a rules of behavior prior to gaining access to\n     CBP information systems;\n\n  \xef\xbf\xbd\t The following weaknesses were identified for the      Security Audit Logs procedures:\n             o\t Procedures do not define how often the        security audit logs are reviewed.\n             o\t Procedures do not describe the documented evidence of review process,\n                 Security Violation Log Report, which is created by the        ISSO/Independent\n                 Reviewer.\n             o\t Procedures do not define the sampling methodology that is used to select\n                 daily security logs.\n             o\t Procedures were not effective for all of FY 2008 (October 1, 2007 \xe2\x80\x93 September\n                 30, 2008);\n\n  \xef\xbf\xbd\t The initial password granted to new        accounts is not in compliance with DHS\n     requirements;\n\n  \xef\xbf\xbd\t CBP does not have a method of tracking completion of security awareness training for CBP\n     employees and contractors. Individuals from the program team responsible for security\n     awareness training do not have the ability to identify those individuals who have not\n     completed security awareness training and, therefore, can not ensure all CBP personnel have\n     completed this training;\n\n  \xef\xbf\xbd\t The     Security Administrators Handbook is out of date and has inaccurate statements of\n     CBP and DHS policies. Specifically, the following weaknesses were identified:\n            o\t Out-of-date references to US Customs Service,\n            o\t References to out-of-date Customs (now CBP) policies and procedures (1400\xc2\xad\n               05a),\n            o\t Requirement that       initial passwords are set to a weak password string,\n            o\t Statement that      does not allow special characters in passwords;\n\n  \xef\xbf\xbd\t The following weaknesses were identified in       access control procedures:\n             o\t A periodic (at least semi-annual) recertification of all      portal accounts is not\n                 performed,\n             o\t Formal procedures are not documented for the creation of          portal accounts,\n             o        is not configured to disable accounts after 45 days of inactivity on the\n                 system; and\n\n  \xef\xbf\xbd\t Two              accounts that were created during FY 2008 did not have appropriate access\n     authorization forms maintained by the                  administrators. It was further noted\n     that multiple administrators on the           had accounts created by other groups than the\n                       Support Team.\n\n\n\n                                          6\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                 U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                         September 30, 2008\n\n\n\n\n2. Application software development and change controls \xe2\x80\x93 no condition noted. \n\n\n\n3.\t Service continuity \xe2\x80\x93 we noted:\n\n   \xef\xbf\xbd                            is not installed on all workstations for the majority of the fiscal year as\n       required. Specifically, it was noted that as of 3/31/2008, 4,751 workstations out of 50,282\n       workstations do not have                     installed;\n\n   \xef\xbf\xbd\t That a complete and up-to-date listing of all CBP workstations is not maintained;\n\n   \xef\xbf\xbd                                the system used to enforce virus protection policies, was not\n       installed on all CBP workstations on                   . It was noted that as of 8/11/2008,\n       0.25% of all workstations on                    did not appear on the      listing. In addition to\n       this, a conclusion could not be obtained on whether all CBP workstations have antivirus\n       protection, as those workstations that are not on                  are not communicating with\n            ;\n\n   \xef\xbf\xbd\t The most recent business continuity planning (BCP) testing was incomplete. Specifically, it\n      was noted that not all systems were brought online as required since sufficient hardware was\n      unavailable at the recovery facility to fully and properly perform the continuity testing; and\n\n   \xef\xbf\xbd\t Documented hardware maintenance procedures do not exist for the                environment\n      supporting   .\n\n\n\n4.\t Entity-wide security program planning and management \xe2\x80\x93 no conditions noted.\n\n\n5.\t System software \xe2\x80\x93 we noted during our technical testing:\n   \xef\xbf\xbd\t Configuration management exceptions were identified on \n\n                 and hosts supporting the \n and        applications; and\n   \xef\xbf\xbd\t Patch management exceptions were identified on hosts supporting the                      and the\n                   applications.\n\n\n6.\t Segregation of duties \xe2\x80\x93 no conditions noted.\n\n\nRecommendations: We recommend that the CBP Office of Chief Information Officer (OCIO), in\ncoordination with the Office of the Chief Financial Officer (OCFO), make the following\nimprovements to the CBP financial management systems:\n1.\t For access controls:\n   \xef\xbf\xbd\t Review and maintain a listing of active connections with the         and account for each\n      connection with a documented interconnection security agreement (ISA);\n\n                                           7\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                        September 30, 2008\n\n\n  \xef\xbf\xbd   Work on the                                to ensure that all CBP contractors are included in the\n      database and that the data for each contractor is complete and accurate;\n\n  \xef\xbf\xbd\t Determine a method for appropriately applying CBP and DHS policy requiring automatically-\n     activated, password-protected screensavers after a period of inactivity;\n\n  \xef\xbf\xbd\t Properly capture appropriate audit log data per DHS policy. KPMG further recommends that a\n     method for generating and reviewing security audit logs be developed for the\n     according to CBP and DHS policy, to detect potential security events;\n\n  \xef\xbf\xbd\t Regularly run the updated script on the system to disable user accounts after the DHS-\n     specified period of inactivity;\n\n  \xef\xbf\xbd\t Maintain              audit and                     per DHS policy;\n\n  \xef\xbf\xbd\t Develop and implement procedures that will appropriately restrict the use of emergency or\n     temporary access within        and that requires documented supervisory approval from the\n     ISSM confirming this access is needed. In addition, CBP should perform regular\n     recertifications of the emergency access table to ensure persons with the capability to request\n     temporary or emergency access need to remain on the emergency access table;\n\n  \xef\xbf\xbd   Develop formal procedures for recertifying              accounts and access to shared data and\n      perform regular recertifications of            accounts and access to shared data as required\n      by developed procedures;\n\n  \xef\xbf\xbd   Implement the review of       security audit logs on a periodic basis by an independent\n      reviewer and formalize these procedures in detail for the review of       security audit logs;\n\n  \xef\xbf\xbd   Follow DHS policy and maintain documented evidence of review for                   security\n      violation logs for the duration outlined in DHS policy;\n\n  \xef\xbf\xbd\t Develop and implement procedures to restrict access to mainframe administrative capabilities\n     and require documented authorization requests and approval for each person requiring access\n     to the          administrative capabilities;\n\n  \xef\xbf\xbd   Continue to develop a method for tracking and consolidating access request forms for the\n           and continue to implement the procedures developed to control       account creation;\n\n  \xef\xbf\xbd\t Require managers to consistently complete the CBP-241 forms that are required as set forth in\n     CBP directives and policy;\n\n  \xef\xbf\xbd   Create formal procedures to document the               security violation log review process;\n\n  \xef\xbf\xbd   Create formal procedures to document the review process for                audit and\n                ;\n\n  \xef\xbf\xbd\t Follow DHS policy and improve password complexity by including special characters for the\n          application;\n\n\n                                          8\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit \n\n\x0c                                  U.S. Customs and Border Protection\n                              Information Technology Management Letter\n                                          September 30, 2008\n\n\n   \xef\xbf\xbd\t Adjust CBP-level and      -level policies to require the ISSM to approve the emergency and\n      temporary access authorizations prior to access being granted. Require documented\n      supervisory approval from the ISSM each time a user requires emergency access abilities;\n\n   \xef\xbf\xbd\t Review contractor separation directives, document an up-to-date review of this document and\n      make modifications as needed based on the new operating environment for CBP as part of the\n      Department of Homeland Security. Require the consistent and accurate completion of the\n      CBP-242 forms for all separating contractors;\n\n   \xef\xbf\xbd\t Enforce DHS\xe2\x80\x99 requirement that a non-disclosure agreement be signed by all contractors in a\n      moderate and high risk level position to ensure that they are aware of their responsibilities in\n      protecting the confidentiality of DHS and CBP data;\n\n   \xef\xbf\xbd\t Properly configure              audit and                    to capture appropriate data for the\n                                 and that CBP maintain              audit and                      per\n       DHS policy;\n\n   \xef\xbf\xbd\t Require all employees and contractors sign rules of behavior prior to being granted any system\n      access. Additionally, for personnel that already have systems access, CBP should prioritize\n      having these individuals sign rules of behavior to maintain their systems access;\n\n   \xef\xbf\xbd\t Create detailed procedures that document the review process for        security audit logs that\n      includes the documented evidence of review;\n\n   \xef\xbf\xbd\t Update the      Security Administrator Handbook to require a strong password that is in\n      compliance with DHS and CBP password policies to be set as the initial password for all new\n          accounts;\n\n   \xef\xbf\xbd\t Develop a method for determining individuals who have and have not completed security\n      awareness so that they can actively work towards 100% compliance with the DHS requirement\n      that all individuals with systems access complete annual security awareness training;\n\n   \xef\xbf\xbd\t Perform a full review of the      Security Administrators Handbook and updates be made to\n      the document to reflect the current operating environment. This review should be fully\n      documented and the Handbook should be updated to include a change log as evidence of the\n      updates made;\n\n   \xef\xbf\xbd\t Document and implement policies and procedures for          access control; and\n\n   \xef\xbf\xbd\t Limit the organization that can create      accounts and administrator accounts and require\n      any accounts created to be created by a single organization.\n\n2.\t No findings or recommendations were noted for application software development and change\n    control.\n\n\n3.\t For service continuity:\n\n\n\n                                           9\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                 U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                         September 30, 2008\n\n\n   \xef\xbf\xbd\t Implement procedures to regularly review and monitor the workstations that have\n              installed and perform inquiries to determine why identified workstations do not have\n           installed;\n\n   \xef\xbf\xbd\t Work with administrators across the country to ensure that new and existing workstations are\n      added to a CBP                   domain to appropriately account for all workstations;\n\n   \xef\xbf\xbd\t Develop procedures to regularly review and monitor the workstations that have antivirus\n      protection installed and perform inquiries to determine why identified workstations do not\n      have the protection installed and updated;\n\n   \xef\xbf\xbd\t Work to allocate the appropriate hardware at           to allow for the system availability to\n      fully test the business continuity plan to ensure that        has the capability to support CBP\n      in the event that the       is rendered unavailable for production; and\n\n   \xef\xbf\xbd\t Document        hardware maintenance procedures to ensure a consistent application of\n      maintenance methodologies for the     environment.\n\n4.\t No findings or recommendations were noted for entity-wide security program planning and\n    management.\n\n\n5.\t For system software:\n   \xef\xbf\xbd\t Immediately address configuration management exceptions that were identified during \n\n      technical testing on \n                 )                    and hosts supporting the\n      and       applications; and\n   \xef\xbf\xbd\t Immediately address patch management exceptions that were identified during technical\n      testing on hosts supporting the         and the       and      applications.\n\n\n6.\t No findings or recommendations were noted for segregation of duties.\n\n\n\nCause/Effect: Due to the increased allocation of resources to the          development and\nimplementation project, organizational realignments, and staff turnover, resources were not\nconsistently available throughout the year to address all prior year issues noted above. While CBP\naddressed a significant number of prior year issues, several remain unresolved. Some issues from the\nprior year have already been addressed; however, the findings were reissued as these findings were not\nresolved for the entire fiscal year, which is within the scope of the audit. Additionally, several\nweaknesses were noted as a result of changes in DHS policy since FY 2007 that had not been\nincorporated into CBP policy and implementation. By not addressing the conditions noted above, the\npossibility exists for CBP that these risks will be exploited, in either a singular fashion or in\ncombination which might affect the availability, confidentiality or integrity of CBP\xe2\x80\x99s financial data.\n\n\n\n\n                                          10\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                        September 30, 2008\n\n\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources,\nand various NIST guidelines describe specific essential criteria for maintaining effective general IT\ncontrols. In addition, OMB Circular No. A-127 prescribes policies and standards for executive\ndepartments and agencies to follow in developing, operating, evaluating, and reporting on financial\nmanagement systems. In closing, for this year\xe2\x80\x99s IT audit, we assessed CBP\xe2\x80\x99s compliance with DHS 4300A\nSensitive Systems Handbook. Additionally, we assessed CBP\xe2\x80\x99s implementation of CBP policy, the\nInformation Systems Security Policies and Procedures Handbook, version 1.3.\n\n\n\n\n                                          11\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                 U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                         September 30, 2008\n\n\n                             APPLICATION CONTROL FINDINGS\n\nDuring FY 2007, KPMG noted that weaknesses over the processing of drawback claims exist within\nthe       system. Specifically,    did not support the tracking of drawback items to the line item\nlevel. Rather,       only tracked drawbacks on a summary level. This control weakness was\nidentified in FYs 2003, 2004, 2005, and 2006. This control weakness was presented to CBP\nmanagement by the KPMG financial statement team as a significant control weakness and also noted\nby the KPMG IT team.\n\nAlso, due to the design of      , certain controls could be overridden without supervisory approval.\nFor example, when a CBP entry specialist attempts to liquidate an import entry in          , the system\ndisplays a warning message, indicating that a drawback claim had been filed against the import entry.\nHowever, entry specialists could override the warning message without supervisory review and\nprocess a refund without investigating pending drawback claims. The purpose of this warning\nmessage is to ensure that both a refund and drawback are not paid on the same goods. Entry\nspecialists could override system edits designed to detect refunds exceeding the total duty, tax, and\nfees paid on an import entry.      did not generate override reports for supervisory review.\n\nIn FY 2008, KPMG noted that CBP OIT had developed a report in                which displays all control\noverrides performed at a particular port within       . KPMG determined that the report appropriately\naccounts for all overrides in order to address the condition identified in previous fiscal years and\nidentified above. Due to the pervasiveness of this         application control weakness, the mitigating\ncontrol only partially alleviates the control weakness through implementing this report review process.\nTherefore, this issue remains a material weakness specific to drawbacks when combined with the\nresulting financial audit test work. This material weakness for drawbacks is reported in our\nIndependent Auditors\xe2\x80\x99 Report, dated November 15, 2008.\n\n\n\n\n                                          12\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                        September 30, 2008\n\n\n                    MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from the CBP CIO. Generally, CBP\nmanagement agreed with all of our findings and recommendations and they have developed a\nremediation plan to address these findings and recommendations. We have incorporated these\ncomments where appropriate an included a copy of the comments in Appendix D. We have corrected\nthe risk rating assigned to the notice of findings and recommendation within this report. The risk\nrating now corresponds with the risk rating presented in the FY 2008 Consolidated Information\nTechnology Management Letter.\n\n\nOIG Response\nWe agree with the steps that CBP\xe2\x80\x99s management is taking to satisfy these recommendations.\n\n\n\n\n                                          13\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                            Appendix A \n\n                              FOR OFFICIAL USE ONLY\n                           U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                  APPENDIX A \n\n\n     DESCRIPTION OF KEY FINANCIAL SYSTEMS AND IT \n\n  INFRASTRUCTURE WITHIN THE SCOPE OF THE FY 2008 CBP \n\n             FINANCIAL STATEMENT AUDIT\n\n\n\n\n\n                                         14\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                               Appendix A \n\n                                     U.S. Customs and Border Protection\n                                 Information Technology Management Letter\n                                             September 30, 2008\n\n            DESCRIPTION OF FINANCIAL SYSTEMS AND IT INFRASTRUCTURE\n\nBelow is a description of significant CBP financial management systems and supporting IT\ninfrastructure included in the scope of CBP\xe2\x80\x99s FY 2008 Financial Statement Audit.\n\n\nLocations of Review:       The                                in                      .\n                           The                                               in                        .\n                           The                                     in                     .\n                           The Port of             .\n                           The Port of                 .\n\n\nSystems Subject to Review:\n\xef\xbf\xbd                                                                  -      is CBP\xe2\x80\x99s financial management\n      system that consists of a \xe2\x80\x98core\xe2\x80\x99 system, which supports primary financial accounting and reporting\n      processes, and a number of additional subsystems for specific operational and administrative\n      management functions.             is a client/server-based financial management system that was\n      implemented beginning in FY 2004 using a phased approach that replaced the                       -\n      based financial system.\n\n\xef\xbf\xbd                                               \xe2\x80\x93      is a collection of business process mainframe-based\n      systems used by CBP to track, control, and process all commercial goods, conveyances and private\n      aircraft entering the U.S. territory for the purpose of collecting import duties, fees, and taxes owed\n      to the Federal government. Key application software within                 includes systems for data\n      input/output, entry and entry summary, and collection of revenue.\n\n\xef\xbf\xbd                                                   \xe2\x80\x93        is the commercial trade processing system\n      being developed by CBP to facilitate trade while strengthening border security.          is being\n      deployed in phases, with a final full deployment scheduled for FY 2012. As            is partially\n      implemented now and processes a significant amount of revenue for CBP,          was included in a\n      limited scope in the FY 2008 financial statement audit.\n\n\xef\xbf\xbd                                                            \xe2\x80\x93 Used for tracking seized assets, Customs\n      Forfeiture Fund, and fines and penalties. The resulting financial information interfaces with CBPs\n      financial management system.\n\n\n\n\n                                             15\n\n    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit \n\n\x0c                                                                            Appendix B \n\n                               FOR OFFICIAL USE ONLY\n                           U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                  APPENDIX B \n\n\n  FY 2008 NOTICES OF IT FINDINGS AND RECOMMENDATIONS \n\n\n\n\n\n                                         16\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                             Appendix B \n\n                                  U.S. Customs and Border Protection\n                              Information Technology Management Letter\n                                          September 30, 2008\n\nNotice of Findings and Recommendation \xe2\x80\x93 Definition of Risk Ratings:\n\nThe Notice of Findings and Recommendations (NFR) are ranked with a risk rating of High, Medium,\nand Low based upon the potential impact that each weakness could have on CBP\xe2\x80\x99s information\ntechnology (IT) general control environment and the integrity of the financial data residing on the\nCBP\xe2\x80\x99s financial systems, and the pervasiveness of the weakness. The risk ratings are intended only to\nassist management in prioritizing corrective actions, considering the potential benefit of the corrective\naction to strengthen the IT general control environment and/or the integrity of the CBP financial\nstatements. Correction of some higher risk findings may help mitigate the severity of lower risk\nfindings, and possibly function as a compensating control. In addition, analysis was conducted\ncollectively on all NFRs to assess connections between individual NFRs, which when joined together\ncould lead to a control weakness occurring with more likelihood and/or higher impact potential. The\nrisk ratings, used in this context, are not defined by Government Auditing Standards, issued by the\nComptroller General of the United States, or the American Institute of Certified Public Accountants\n(AICPA) Professional Standards, and do not necessarily correlate to a significant deficiency, as\ndefined by the AICPA Standards and reported in our Independent Auditors\xe2\x80\x99 Report on the CBP\xe2\x80\x99s\nfinancial statements, dated December 4, 2008.\n\nHigh Risk: A control weakness that is more serious in nature affecting a broader range of financial IT\nsystems, or having a more significant impact on the IT general control environment and /or the\nintegrity of the financial statements as a whole.\n\nMedium Risk: A control weakness that is less severe in nature, but in conjunction with other IT\ngeneral control weaknesses identified, may have a significant impact on the IT general control\nenvironment and / or the integrity of the financial statements as a whole.\n\nLow Risk: A control weakness minimal in impact to the IT general control environment and / or the\nintegrity of the financial statements.\n\n\nThe risk ratings included in this report are intended solely to assist management in prioritizing its\ncorrective actions.\n\n\n\n\n                                          17\n Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix B \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                 U.S. Customs and Border Protection \n\n                                   FY2008 Information Technology \n\n                       Notification of Findings and Recommendations \xe2\x80\x93 Detail \n\n                                                                                                                                 Repeat     Risk\n   NFR #                       Condition                                       Recommendation                        New Issue\n                                                                                                                                  Issue    Rating\n               This is a system-level finding. KPMG           KPMG believes that work should continue to\n               notes that significant progress has been       review and maintain a listing of active connections\n               made at addressing this persistent finding.    with the     and account for each connection with\n               KPMG notes that a full listing of              a documented     .\n               connections to         has been developed\n               and is maintained. However, KPMG also\nCBP-IT-08-02   noted that there are active connections to                                                                          X      Medium\n                     that still do not have a documented\n                    in place. Work is progressing within\n               CBP to address the missing         but as of\n               testing, KPMG noted that not all\n               connections had a documented         .\n\n               This is a repeat, component-level finding.     KPMG recommends that CBP continue work on\n               CBP does not maintain a centralized            the                               to ensure that all\n               listing of contract personnel, including       CBP contractors are included in the database and\n               employment status. Currently, CBP only         that the data for each contractor is complete and\n               maintains contractor information for OIT       accurate.\n               contractors. While this is a majority of\nCBP-IT-08-03                                                                                                                       X      Medium\n               CBP contractors, it does not include all\n               CBP contractors. Additionally, as a result\n               of additional test work, KPMG noted data\n               validity issues in the\n                       .\n\n\n\n\n                                                        18\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix B \n\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                               Repeat     Risk\n   NFR #                       Condition                                    Recommendation                         New Issue\n                                                                                                                                Issue    Rating\n               This is a system-level finding. KPMG         Properly configure the application to capture\n               noted the following issues in regards to     appropriate data per DHS policy. KPMG further\n               Security Audit Logs for              :       recommends that a method for generating and\n               \xef\xbf\xbd A solution has been implemented to         reviewing security audit logs be developed for\n                   track and monitor security and audit                 according to CBP and DHS policy, to\n                   related activity but has not been        detect potential security events.\n                   operational for the entire FY 2008.\n               \xef\xbf\xbd There is a configuration weakness for\n                   capturing security and audit related\nCBP-IT-08-08       activity in the                                                                                               X        Low\n                                       application. The\n                   configuration has changed on\n                   multiple occurrences in regards to\n                   tracking activity for the \xe2\x80\x98Logon to\n                   Account\xe2\x80\x99 field in FY 2008.\n               \xef\xbf\xbd There is no defined method to\n                   generate and review security audit\n                   logs for security violations for the\n                               .\n\n               This is a system-level finding. KPMG         Ensure that the updated script runs regularly on the\n               noted that during FY 2008, CBP               system to disable user accounts after the DHS-\n               implemented a script to disable accounts     specified period of inactivity.\n               after thirty days of inactivity. However,\nCBP-IT-08-09   KPMG noted that the script was not                                                                                X        Low\n               functioning appropriately for the full\n               fiscal year and was fixed during the third\n               quarter of FY 2008.\n\n\n\n\n                                                        19\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                        Appendix B \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                  Repeat     Risk\n   NFR #                       Condition                                      Recommendation                          New Issue\n                                                                                                                                   Issue    Rating\n               This is a component-level finding. As          Develop procedures to regularly review and\n               noted in FY 2007, KPMG notes that              monitor the workstations that have\n                                        is not installed on   installed and perform inquiries to determine why\n               all workstations for the majority of the       identified workstations do not have        installed.\nCBP-IT-08-12                                                                                                                        X      Medium\n               fiscal year. Specifically, KPMG noted\n               that as of 3/31/2008, 4,751 workstations\n               out of 50,282 accounted for workstations\n               do not have                   installed.\n               This is a component-level finding.             Work with administrators across the country to\n               KPMG noted that while progress has been        ensure that new and existing workstations are\n               made in accounting for all CBP                 added to a CBP                    domain to allow\nCBP-IT-08-13                                                                                                                        X      Medium\n               workstations, a complete and up-to-date        for all workstations to be accounted for in an\n               listing of all CBP workstations is not         appropriate fashion.\n               maintained.\n               This is a system-level finding. KPMG           a) Develop and implement procedures that will\n               noted that the       has been adjusted to         appropriately restrict the use of emergency or\n               limit active temporary and/or emergency           temporary access within         and that requires\n               access to 24 hours after the request.             documented supervisory approval from the\n               KPMG notes, however, that the table is            ISSM confirming this access is needed.\nCBP-IT-08-16   still being used and that administrator or     b) Perform regular recertifications of the                            X      Medium\n               supervisory approval is not required each         emergency access table to ensure persons with\n               time temporary or emergency access is             the capability to request temporary or\n               activated and that ISSM approval is not           emergency access need to remain on the\n               required, as required in DHS policy.              emergency access table.\n\n               This is a system-level finding. KPMG           a) Develop formal procedures for recertifying\n               noted there are currently no procedures in                   accounts and access to shared data.\n               place for the completion of semi-annual        b) Perform regular recertifications of\n               recertifications of             accounts.         accounts and access to shared data as required\nCBP-IT-08-18                                                                                                                        X      Medium\n               KPMG also notes that a recertification of         by developed procedures.\n                            accounts is not performed on\n               a semi-annual basis.\n\n\n\n\n                                                        20\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix B \n\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                               Repeat     Risk\n   NFR #                       Condition                                     Recommendation                        New Issue\n                                                                                                                                Issue    Rating\n               This is a system level finding. KPMG          Implement the review of these logs on a periodic\n               noted that when changes to a user\xe2\x80\x99s           basis by an independent reviewer and that CBP\n               access are performed in        , the log of   formalize these procedures in detail for the review\n               these events is not regularly reviewed by     of      security audit logs.\n               personnel independent from those\nCBP-IT-08-21                                                                                                                     X        Low\n               individuals that made the changes.\n               KPMG further noted that logs from\n               March 2008 through July 2008 have not\n               been reviewed by the\n               ISSO/Independent Reviewer.\n               This is a system-level finding. KPMG          Follow DHS policy and maintain documented\n               noted that out of 25 dates,                   evidence of review for security violation logs for\nCBP-IT-08-26                                                                                                                     X        Low\n               security violation report reviews were not    the duration outlined in DHS policy.\n               provided to KPMG.\n               This is a system-level finding. KPMG          a) Develop and implement procedures to restrict\n               noted that authorizations are not being          access to           administrative\n               maintained for personnel that have               capabilities, and\n               administrator access to              .        b) Require documented authorization requests\nCBP-IT-08-27                                                                                                                     X      Medium\n               Additionally, KPMG noted in FY 2008              and approval for each person requiring access\n               that access requests for new mainframe           to the            administrative capabilities.\n                           administrator accounts are\n               requested and approved verbally.\n               This is a system level finding. KPMG          Continue efforts to develop a method for tracking\n               noted that procedures have been               and consolidating access request forms for the\n               developed to require access request forms                and continue to implement the\n               for any new account created for the           procedures developed to control       account\nCBP-IT-08-28                                                                                                                     X      Medium\n                      However, KPMG noted that access        creation.\n               request forms were not available for\n               review for three accounts created by\n                     administrators during FY 2008.\n\n\n\n\n                                                        21\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix B \n\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                               Repeat     Risk\n   NFR #                      Condition                                     Recommendation                         New Issue\n                                                                                                                                Issue    Rating\n               This is a component-level finding.           Require managers to consistently complete the\n               KPMG noted that procedures are in place      CBP-241 forms that are required as set forth in\n               for the completion of the termination        CBP directives and policy.\n               forms for separating government\n               employees. KPMG noted, however, that\nCBP-IT-08-29                                                                                                                     X      Medium\n               the forms are not completed consistently,\n               with employee and/or supervisor\n               signature missing from 7 of the 25\n               separated employees selected.\n\n               This is a component-level finding.           Develop procedures to regularly review and\n               KPMG noted that                              monitor the workstations that have antivirus\n                      , the system used to enforce virus    protection installed and perform inquiries to\n               protection policies, was not installed on    determine why identified workstations do not have\n               all CBP workstations on                      the protection installed and updated.\n                          . KPMG noted that as of\n               8/11/2008, 0.25% of all workstations on\nCBP-IT-08-34                                                                                                                     X        Low\n                                   did not appear on the\n                    listing. In addition to this, KPMG\n               could not conclude on whether all CBP\n               workstations have antivirus protection, as\n               those workstations that are not on\n                           are not communicating with\n\n               During our technical testing,\n                                                            Immediately address configuration management\n               configuration management exceptions\n                                                            exceptions that were identified during technical\n               were identified on\nCBP-IT-08-35                                                testing on                                                           X        High\n                           and hosts supporting the\n                                                            Controllers and hosts supporting the      and\n               and      applications.\n                                                            applications.\n               During our technical testing, patch\n                                                            Immediately address patch management exceptions\n               management exceptions were identified\n                                                            that were identified during technical testing on\nCBP-IT-08-36   on hosts supporting the             and                                                                           X        High\n                                                            hosts supporting the              and the        and\n               the      and      applications.\n                                                                 applications.\n\n\n\n                                                        22\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix B \n\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                             Repeat    Risk\n   NFR #                       Condition                                    Recommendation                       New Issue\n                                                                                                                              Issue   Rating\n               This is a system-level finding. KPMG         Develop formal procedures to document the               X\n               noted that formal procedures do not exist              security violation review process.\n               for the security violation log review\n               process. KPMG further noted that\nCBP-IT-08-37   informal procedures are used by the                                                                                     Low\n               network security specialist to inspect the\n               security violation log for suspicious\n               activity and to document the review.\n\n               This is a system-level finding. KPMG         Develop formal procedures to document the review        X\n               noted that formal procedures do not exist    process for          audit and                  .\n               for the review process of            audit\n               and                    . KPMG further\nCBP-IT-08-38   noted that informal procedures are used                                                                                 Low\n               by the             ISSOs to inspect logs\n               for suspicious and unusual activity and to\n               document the review.\n\n               This is a system-level finding. KPMG         Follow DHS policy and improve password                  X\n               noted that the \xe2\x80\x98special characters\xe2\x80\x99          complexity by including special characters for the\nCBP-IT-08-39   requirement under password complexity             application.                                                          Low\n               is not set.\n\n               This is a system-level finding. KPMG         a) Adjust CBP-level and        -level policies to       X\n               noted that access authorizations for            require the ISSM to approve the emergency\n               emergency and temporary access to               and temporary access authorizations prior to\n               are not approved by the ISSM.                   access being granted, and\nCBP-IT-08-40                                                                                                                           Low\n                                                            b) Require documented supervisory approval\n                                                               from the ISSM each time a user requires\n                                                               emergency access abilities.\n\n\n\n\n                                                        23\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix B \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                  Repeat    Risk\n   NFR #                       Condition                                      Recommendation                          New Issue\n                                                                                                                                   Issue   Rating\n               This is a component-level finding.            a) Review the current directive, document an up\xc2\xad            X\n               KPMG noted that a Customs Directive              to-date review of this document and make\n               was provided as separation procedures for        modifications as needed based on the new\n               contractors and the directive was dated          operating environment for CBP as part of the\n               September 2001. The directive references         Department of Homeland Security, and\n               Treasury policies as source                   b) Require the consistent and accurate completion\n               documentation. This directive is out of          of the CBP-242 forms for all separating\n               date as CBP is no longer a part of the           contractors.\n               Department of Treasury.\nCBP-IT-08-41                                                                                                                               Medium\n               Additionally, KPMG noted that CBP-242\n               contractor separation forms are not\n               completed consistently for separating\n               CBP contractors. Specifically, KPMG\n               noted that all forms for selected separated\n               contractors were completed; however, 6\n               of the selected 25 separated contractors\xe2\x80\x99\n               forms were completed at least one month\n               after the individual separated from CBP.\n\n               This is a component-level finding.            Allocate the appropriate hardware to             to         X\n               KPMG noted that the most recent               allow for the system availability to fully test the\n               business continuity plan testing was          business continuity plan to ensure that            has\n               incomplete. Specifically, KPMG noted          the capability to support CBP in the event that the\n               that not all systems were brought online            is rendered unavailable for production.\nCBP-IT-08-43                                                                                                                               Medium\n               as required since sufficient hardware was\n               unavailable at the recovery facility to\n               fully and properly perform the continuity\n               testing.\n\n\n\n\n                                                        24\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix B \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                  Repeat    Risk\n   NFR #                       Condition                                       Recommendation                         New Issue\n                                                                                                                                   Issue   Rating\n               This is a component-level finding.            Enforce DHS\xe2\x80\x99 requirement that a non-disclosure              X\n               KPMG noted that non-disclosure                agreement be signed by all contractors in a\n               agreements (NDAs) are not consistently        moderate and high risk level position to ensure that\nCBP-IT-08-44                                                                                                                                Low\n               mandated for CBP contractors.                 they are aware of their responsibilities in protecting\n                                                             the confidentiality of DHS and CBP data.\n\n               This is a system-level finding. KPMG          Properly configure            audit and                     X\n               noted that the parameters for the                        to capture appropriate data for the\n                                                                        system.\n\n\n                               are not configured to\nCBP-IT-08-45   collect appropriate data. KPMG further                                                                                       Low\n               noted that three out of the\n               audit and system utility logs,\n\n                           , do not produce any data in\n               the log.\n\n               This is a system-level finding. KPMG          Maintain              audit and system utility logs         X\n               noted that a total of 10 specific logs were   per DHS policy.\n               not available for the following dates:\n               November 12, 2007, February 22, 2008,\n               and March 7, 2008. For November 12,\n               2007 logs were not available for\n\n                                                 . For\nCBP-IT-08-46                                                                                                                                Low\n               February 22, 2008, logs were not\n               available for the              , and\n                              . For March 7, 2008, logs\n               were not available for\n                                                  KPMG\n               further noted that all mainframe audit and\n               system utility logs that went digital after\n               April 1, 2008 were available for review.\n\n\n                                                        25\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                                  Repeat    Risk\n   NFR #                      Condition                                      Recommendation                           New Issue\n                                                                                                                                   Issue   Rating\n               This is a component-level finding.           Require all CBP personnel (employees and                     X\n               KPMG noted that CBP does not currently       contractors) sign rules of behavior prior to being\n               require individuals to sign rules of         granted any system access. Additionally, for\nCBP-IT-08-47   behavior prior to gaining access to CBP      personnel that already have systems access, CBP                                 Low\n               information systems.                         should prioritize having these individuals sign rules \n\n                                                            of behavior to maintain their systems access. \n\n\n               This is a system level finding. KPMG         Develop detailed procedures that document the                X\n               noted the following weaknesses for the       review process for     security audit logs that \n\n                     Security Audit Logs procedures         includes the documented evidence of review. \n\n               below:\n               \xef\xbf\xbd\t Procedures do not define how often\n                   the       security audit logs are\n                   reviewed,\n               \xef\xbf\xbd Procedures do not describe the\n                   documented evidence of review\nCBP-IT-08-48                                                                                                                                Low\n                   process,\n                   Report that is created by the ACS\n                   ISSO/Independent Reviewer,\n               \xef\xbf\xbd\t Procedures do not define the\n                   sampling methodology that is used to\n                   select       daily security logs, and\n               \xef\xbf\xbd\t Procedures were not effective for the\n                   entire FY 2008 (October 1, 2007 \xe2\x80\x93\n                   September 30, 2008).\n               This is a system-level finding. KPMG         Update the        Security Administrator Handbook            X\n               noted that the initial password granted to   to require a strong password that is in compliance\nCBP-IT-08-49   new        accounts is not in compliance     with DHS and CBP password policies to be set as                                Medium\n               with DHS requirements.                       the initial password for all new       accounts.\n\n\n\n\n                                                        26\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                  Repeat    Risk\n   NFR #                       Condition                                       Recommendation                         New Issue\n                                                                                                                                   Issue   Rating\n               This is a component-level finding. CBP          Develop a method for determining individuals who          X\n               has no method of tracking completion of         have and have not completed security awareness so\n\n               security awareness training for CBP \n           that they can actively work towards 100% \n\n               employees and contractors. Individuals \n        compliance with the DHS requirement that all \n\n               from the program team responsible for \n         individuals with systems access complete annual \n\n               security awareness training do not have \n       security awareness training.\nCBP-IT-08-50                                                                                                                                Low\n               the ability to identify those individuals \n\n               who have not completed security \n\n               awareness training. Therefore, CBP can \n\n               not ensure all personnel have completed \n\n               this training. \n\n\n               This is a system level finding. KPMG            Document         hardware maintenance                     X\n               noted through inquiry with the                  procedures to ensure a consistent application of\nCBP-IT-08-51         that documented hardware                  maintenance methodologies for the UNIX                                       Low\n               maintenance procedures do not exist.            environment.\n\n               This is a system-level finding. KPMG            Determine a method for appropriately applying             X\n               determined that the CBP workstation             CBP and DHS policy requiring automatically-\n\n               policy for screensavers is not \n                activated, password-protected screensavers after a \n\n               appropriately implemented. Specifically, \n      period of inactivity. \n\n               KPMG noted that the configuration of a \n\nCBP-IT-08-52                                                                                                                                Low\n               password-protected screensaver can be\n\n               modified by the user, allowing that user to \n\n               remove the password requirement and \n\n               disable the screensaver completely. \n\n\n\n\n\n                                                        27\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                               Repeat    Risk\n   NFR #                       Condition                                    Recommendation                         New Issue\n                                                                                                                                Issue   Rating\n               This is a system-level finding. The          Perform a full review of the       Security               X\n               Security Administrators Handbook is out      Administrators Handbook and update the document \n\n               of date and has inaccurate statements of \n   to reflect the current operating environment. This \n\n               CBP and DHS policies. Specifically, \n        review should be fully documented and the \n\n               KPMG noted: \n                                Handbook should be updated to include a change\n               \xef\xbf\xbd Out-of-date references to US               log as evidence of the updates made.\n\n                   Customs Service, \n\n               \xef\xbf\xbd References to out-of-date Customs\nCBP-IT-08-53                                                                                                                             Low\n                   (now CBP) policies and procedures\n                   (1400-05a),\n               \xef\xbf\xbd Requirement that          initial \n\n                   passwords are set to a weak password \n\n                   string, and \n\n               \xef\xbf\xbd Statement that          does not allow \n\n                   special characters in passwords. \n\n\n               This is a system level finding. KPMG         Document and implement policies and procedures            X\n               noted the following weaknesses in            for    access control. \n\n               access control procedures: \n\n               \xef\xbf\xbd\t A regular (at least semi-annual) \n\n                   recertification of all \n    portal\n                   accounts is not performed,\nCBP-IT-08-54   \xef\xbf\xbd Formal procedures are not                                                                                              Medium\n                   documented for the creation of\n                   portal accounts, and\n               \xef\xbf\xbd          is not configured to disable \n\n                   accounts after 45 days of inactivity \n\n                   on the system. \n\n\n\n\n\n                                                        28\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                Appendix B \n\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                           Repeat    Risk\n   NFR #                       Condition                                    Recommendation                     New Issue\n                                                                                                                            Issue   Rating\n               This is a system level finding. KPMG         Limit the organization that can create                X\n               noted that 2 accounts created during FY      accounts, administrator accounts and require any\n               2008 did not have appropriate access         accounts be created by a single organization.\n               authorization forms maintained by the\n                                  administrators. KPMG\nCBP-IT-08-55                                                                                                                        Medium\n               further noted that multiple administrators\n               on the             had accounts created\n               by other groups than the\n               Support Team.\n\n\n\n\n                                                        29\n               Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                            Appendix C \n\n                           U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                  APPENDIX C \n\n\n    STATUS OF PRIOR YEAR NOTICES OF FINDINGS AND \n\n RECOMMENDATIONS AND COMPARISON TO CURRENT YEAR \n\n     NOTICES OF FINDINGS AND RECOMMENDATIONS\n\n\n\n\n\n                                         30\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                    Appendix C \n\n                             U.S. Customs and Border Protection\n                         Information Technology Management Letter\n                                     September 30, 2008\n\n\n\n   NFR No.                                                          Disposition\n                              Description\n                                                          Closed                  Repeat\n                Override of warning in Drawback\n CBP-IT-07-01                                               X\n                function without supervisory approval\n                     Interconnection Security\n CBP-IT-07-02                                                                CBP-IT-08-02\n                Agreements (ISAs)\n CBP-IT-07-03   Contractor Tracking Deficiencies                             CBP-IT-08-03\n\n CBP-IT-07-04   Labeling of Backup Media                    X\n\n CBP-IT-07-05   Password Configurations                     X\n\n CBP-IT-07-06   Session Disconnects and Locking             X\n\n CBP-IT-07-07   Version Control for Source Code             X\n\n CBP-IT-07-08               Audit Logs                                       CBP-IT-08-08\n\n                Disabling of Inactive Accounts on\n CBP-IT-07-09                                                                CBP-IT-08-09\n\n CBP-IT-07-10   Physical Access Recertification             X\n\n CBP-IT-07-11                                                                CBP-IT-08-46\n\n CBP-IT-07-12                   Install                                      CBP-IT-08-12\n\n CBP-IT-07-13   Complete List of CBP Workstations                            CBP-IT-08-13\n\n CBP-IT-07-14   Backup Tape Withdrawal Logging              X\n\n CBP-IT-07-15        Inactive Accounts                      X\n\n CBP-IT-07-16   Excessive       Emergency Access                             CBP-IT-08-16\n\n CBP-IT-07-17   Review of                                   X\n\n CBP-IT-07-18   Recertification of            Accounts                       CBP-IT-08-18\n\n CBP-IT-07-19   Security Awareness Training                 X\n\n CBP-IT-07-20        Access Controls                        X\n\n                Review of Changes to Security Profiles\n CBP-IT-07-21                                                                CBP-IT-08-21\n                in\n                OIT Documentation Not Formally\n CBP-IT-07-22                                               X\n                Approved\n\n\n                                         31\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                       Appendix C\n                               U.S. Customs and Border Protection\n                           Information Technology Management Letter\n                                       September 30, 2008\n\n   NFR No.                                                             Disposition\n                                Description\n                                                             Closed                  Repeat\n                  Emergency Change Executive\n CBP-IT-07-23                                                  X\n                  Approvals for\n\n CBP-IT-07-24          Re-recertification Process              X\n\n                  No formal designation of ISSO for\n CBP-IT-07-25                                                  X\n\n                  Review of            Security\n CBP-IT-07-26                                                                   CBP-IT-08-26\n                  Violation Logs\n                             Administrator Access\n CBP-IT-07-27                                                                   CBP-IT-08-27\n                  Authorization Weaknesses\n                             Access Policies and\n CBP-IT-07-28                                                                   CBP-IT-08-28\n                  Procedures\n                  Completion of CF-241 Forms for\n CBP-IT-07-29                                                                   CBP-IT-08-29\n                  Terminated Employees\n                  Removal of Terminated Employees\n CBP-IT-07-30                                                  X\n                  from\n\n CBP-IT-07-31          High Risk Combinations                  X\n\n CBP-IT-07-32          Change Documentation                    X\n\n CBP-IT-07-33          Change Documentation                    X\n\n CBP-IT-07-34     Installation of Anti-Virus Protection                         CBP-IT-08-34\n\n CBP-IT-07-35     Configuration Management                                      CBP-IT-08-35\n\n CBP-IT-07-36     Patch Management                                              CBP-IT-08-36\n    FY 2007 Issued NFRs                 FY2007 Closed NFRs            FY2007 Reissued NFRs\n             36                                     19                         17\n\n\n\n\n                                         32\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                            Appendix D \n\n                           U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                  APPENDIX D \n\n\n\n    MANAGEMENT RESPONSE TO DRAFT U.S. CUSTOMS AND \n\n                BORDER PROTECTION \n\n                        IT MANAGEMENT LETTER\n\n\n\n\n\n                                         33\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                               Appendix D \n\n                           U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                         34\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                               Appendix D \n\n                           U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                   September 30, 2008\n\n\n\n\n                                         35\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix D \n\n                                                     U.S. Customs and Border Protection\n                                                 Information Technology Management Letter\n                                                             September 30, 2008\n\n\n                  Status of Corrective Action Plans for FY 2008 Financial Audit NFRs issued to CBP OIT\n\n\n                                                                                                                                            Status/\n                     NFR             NFR                                                                      Planned                     Scheduled\n    Risk Rating                                         Detailed Weakness/ Recommendation\n                    Number 1         Title                                                                Corrective Actions              Completion\n                                                                                                                                             Date\nMedium\n           CBP-IT-08\xc2\xad                        Weakness:                                       CBP will continue to verify the       On Track-\n                  02           Interconnection      Without approved interconnection security       number of entities that connect      Completion\n                               Security             agreements (ISA) for all system                 to       . For those connections     Date 6/15/09\n                               Agreements           interconnections, connecting entities could     that do not have documented\n                                                    compromise                                      ISA agreements, ISAs will be\n                                                                    data and system integrity and   created and reviewed by the\n                                                    create security vulnerabilities and risks for   Office of Information and\n                                                    US Customs and Border Protection (CBP).         Technology and the Security\n                                                    Recommendation:                                 and Technology Policy Branch\n                                                    CBP ensure that each active connection          allowing for an accurate list of\n                                                    with       should be accounted for and have     all entities that connect to\n                                                    documented ISAs.                                     .\n\n\n\n\n1\n  For the 2008 audit, OIG/KPMG Auditors used the following numbering system for NFRs: Repeat NFRs were assigned the same numbers used\nlast year. NFRs numbered 1 through 36 are repeats and any skipped numbers were not reissued in 2008. NFRs numbered 37 and higher are new\nin 2008.\n\n                                                                36\n                       Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix D\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                       Status/\n                 NFR              NFR                                                                    Planned                     Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1          Title                                                              Corrective Actions              Completion\n                                                                                                                                        Date\nHigh however   CBP-IT-08\xc2\xad   Listing of          Weakness:                                      The                                   Completed-\nConsolidated   03           Employed and        By not maintaining an updated and timely                has been developed            11/12/08\nstatement                   Terminated          list of US Customs and Border Protection       and populated with data on\nsaid Medium                 Contractors         (CBP) contractors, risks are created           contractors supporting CBP.\n                                                concerning access to the financial systems,    Building passes are only being\n                                                especially when the contractor leaves CBP.     issued if the data on the\n                                                Recommendation:                                contractor is in the system. A\n                                                CBP ensure that the                            directive has been developed\n                                                                remains updated and includes   finalized and implemented\n                                                all contractors. Also, all information         requiring all CBP offices to\n                                                regarding contractors is accurate and          enter the data on their\n                                                complete.                                      contractors.\n\n\n\nMedium         CBP-IT-08\xc2\xad   Completion and      Weakness:                                      CBP has ensured that the              Completed-\nhowever        08           Review of           Without correct configuration of the           configuration change process           10/01/08\nConsolidated                Security Audit      application to capture appropriate data and    implemented within the\nstatement                   Logs for            the ability to review security audit logs,\nsaid Low                                        potential security violations may go                       application and\n                                                undetected.                                    configuration changes have\n                                                Recommendation:                                been completed to capture all\n                                                CBP properly configure the application to      security events. CBP\n                                                capture appropriate data and a process for     implemented a process that\n                                                generating and reviewing security audit logs   ensures the effective automated\n                                                to be developed for                            audit log process to review\n                                                                       that will detect        security logs in order to detect\n                                                potential security events.                     potential security events.\n\n\n\n\n                                                             37\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                   Appendix D\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                                        Status/\n                 NFR              NFR                                                                       Planned                   Scheduled\n Risk Rating                                         Detailed Weakness/ Recommendation\n                Number 1          Title                                                                 Corrective Actions            Completion\n                                                                                                                                         Date\nLow            CBP-IT-08\xc2\xad   Accounts are         Weakness:                                        CBP updated the script to           Completed-\n               09           Not Disabled         Inactive accounts that are not suspended in      include all users accounts           10/15/08\n                            After an             a timely manner increase the risk that any       within the                 .\n                            Appropriate          individual may inappropriately access CBP        Corrected script was executed\n                            Period of Time       systems.                                         on schedule and results\n                            for the              Recommendation:                                  confirmed.\n                                                 CBP ensure updated scripts runs regularly\n                                                 on the system to disable user accounts after\n                                                 the DHS-specified period of inactivity.\n               CBP-IT-08\xc2\xad   Installation of      Weakness:                                        CBP is working to ensure that     On Track-\nMedium         12                                Without                     installed on         new and existing workstations     Completion\n                            on CBP               workstations, there is no reasonable             are added to the CBP              Date 2/28/09\n                            Workstations         assurance that patched and security fixes are              domain to allow all\n                                                 being appropriately applied to all CBP           workstations to be accounted\n                                                 workstations.                                    for and updated. CBP will also\n                                                 Recommendation:                                  implement a process to ensure\n                                                 CBP develop procedures to regularly review       that                 is on all\n                                                 and monitor the workstations that have           workstations.\n                                                                   installed and perform\n                                                 inquiries to determine why identified\n                                                 workstations do not have            installed.\n\n\n\n\n                                                             38\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                Appendix D \n\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                     Status/\n                 NFR              NFR                                                                     Planned                  Scheduled\n Risk Rating                                        Detailed Weakness/ Recommendation\n                Number 1          Title                                                               Corrective Actions           Completion\n                                                                                                                                      Date\nMedium         CBP-IT-08\xc2\xad   Incomplete          Weakness:                                       CBP is working to ensure that      On Track-\n               13           Listing of CBP      Without the assurance of a list that includes   new and existing workstations     Completion\n                            Workstations        all workstations connecting to CBP              are added to the CBP              Date 2/28/09\n                                                networks, CBP does not have the                            domain which will\n                                                confidence that security patches and updates    allow all workstations to be\n                                                are being appropriately applies to all CBP      accounted for and updated.\n                                                workstations. This could lead to                CBP is implementing a process\n                                                vulnerabilities be exploited and also lacks     to ensure that\n                                                the ability to ensure group policies are        are on all workstations.\n                                                implemented on all workstations.\n                                                Recommendation:\n                                                CBP work with administrators across the\n                                                country to ensure that new and existing\n                                                workstations are added to a CBP\n                                                           domain to allow for all\n                                                workstations to be accounted for.\n\n\n\n\n                                                             39\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                Appendix D\n                                                U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                     Status/\n                 NFR              NFR                                                                   Planned                    Scheduled\n Risk Rating                                      Detailed Weakness/ Recommendation\n                Number 1          Title                                                             Corrective Actions             Completion\n                                                                                                                                      Date\nHigh however   CBP-IT-08\xc2\xad   Excessive          Weakness:                                      CBP has notified the programs        On Track-\nConsolidated   16           Emergency and      Without consistent emergency access            that the CISO must approve list     Completion\nstatement                   Temporary          authorization procedures, excessive            of supervisors who can              Date 4/30/09\nsaid                        Access in          emergency access to sensitive data             approve emergency access as\nMedium                                         operations with                                well as approving the current\n                                                               may exist. Without proper      list of individuals with access\n                                               authorization each time a user requires        and their profiles. For all CFO\n                                               emergency access, the user could gain          Designated Financial Systems\n                                               access to data that they do not need and may   the CISO was provided lists of\n                                               be able to compromise the integrity of the     all emergency access profiles,\n                                               data and disrupt processing.                   all developers who have\n                                               Recommendation:                                emergency access, and all\n                                               A. CBP develop and implement procedures        supervisors authorized to\n                                               that will appropriately restrict the use of    approve emergency access.\n                                               emergency and temporary access within          The CISO sent out delegation\n                                                     and that requires documented             letters to the owners of the\n                                               supervisory approval from Information          financial systems delegating\n                                               Systems Security Manager (ISSM)                authority to specific\n                                               confirming this access is needed.              supervisors so they can\n                                               B. CBP perform regular recertifications of     approve emergency access\n                                               the emergency access table and ensure only     requests for all CFO\n                                               certain users are included on the table and    Designated Financial Systems\n                                               have the capability to request emergency       for 24 hours at a time, no more\n                                               access.                                        than 4 times a month per\n                                                                                              person, for one year. The CISO\n                                                                                              will re-certify the list of\n                                                                                              authorized supervisors every\n                                                                                              six months.\n\n\n\n                                                             40\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix D \n\n                                                  U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                          September 30, 2008\n\n                                                                                                                                          Status/\n                 NFR              NFR                                                                      Planned                      Scheduled\n Risk Rating                                         Detailed Weakness/ Recommendation\n                Number 1          Title                                                                Corrective Actions               Completion\n                                                                                                                                           Date\nMedium         CBP-IT-08\xc2\xad   Recertification      Weakness:                                       CBP is implementing the use            On Track-\n               18           of                   Not recertifying accounts can lead to           of scripts to disable                 Completion\n                            Accounts             accounts of terminated employee and                  accounts that have not           Date 9/30/09\n                                                 contractors remaining active on the system.     been used in 30 days. CBP is\n                                                 This can lead to unauthorized access to         creating a listing of users\n                                                 programs using accounts that should no          produced by                     .\n                                                 longer have access to the system. Also,         This list will be reduced by\n                                                 without reviewing access to the shared data     those users validated as\n                                                 and drives, the risk exists that accounts can   legitimate by the\n                                                 maintain access to shared data to which they    account re-validation effort. It\n                                                 no longer require access.                       will be assumed that a user\n                                                 Recommendation:                                 with a validated need to access\n                                                 A. CBP develop formal procedures for            his/her              account, has\n                                                 recertifying                                    also been validated to utilize\n                                                                                accounts and     the very network needed to\n                                                 access to shared data.                          obtain              connectivity.\n                                                 B. CBP perform regular re-certifications of     Each remaining user will have\n                                                             accounts and access to shared       their supervisor identified via a\n                                                 data as required by developed procedures.       HR application. Individual\n                                                                                                 supervisors will be contacted\n                                                                                                 via e-mail and asked to verify\n                                                                                                 the employees need to retain an\n                                                                                                 active        account.\n\n\n\n\n                                                             41\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                   Appendix D \n\n                                                    U.S. Customs and Border Protection\n                                                Information Technology Management Letter\n                                                            September 30, 2008\n\n                                                                                                                                        Status/\n                 NFR              NFR                                                                       Planned                   Scheduled\n Risk Rating                                           Detailed Weakness/ Recommendation\n                Number 1          Title                                                                 Corrective Actions            Completion\n                                                                                                                                         Date\nMedium         CBP-IT-08\xc2\xad   Review of              Weakness:                                      An       Information Systems        On Track-\nhowever        21           changes to             Without independent review of security         Security Officer/independent       Completion\nConsolidated                security profiles      level changes for                              reviewer is reviewing the logs     Date 6/15/09\nstatement                   in                                     users, users may be granted    on a periodic basis. The logs\nsaid                                               additional access they do not need for their   and evidence of review are to\nLow                                                job function. In addition, without             be documented monthly and\n                                                   independent review of these logs by            maintained for seven years.\n                                                   management, security administrators have\n                                                   the ability to make changes to user\xe2\x80\x99s access\n                                                   without proper approvals.\n                                                   Recommendation:\n                                                   CBP review of these logs should be\n                                                   implemented on a periodic basis by an\n                                                   independent reviewer and that CBP\n                                                   formalize these procedures in detail for the\n                                                   review of       security audit logs.\n\n\n\n\n                                                             42\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix D \n\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                       Status/\n                 NFR              NFR                                                                      Planned                   Scheduled\n Risk Rating                                        Detailed Weakness/ Recommendation\n                Number 1          Title                                                                Corrective Actions            Completion\n                                                                                                                                        Date\nMedium         CBP-IT-08\xc2\xad   Review of           Weakness:                                        CBP has developed an                Completed-\nhowever        26                               Without maintaining documented evidence          automated electronic system to       9/17/08\nConsolidated                Security            of review for security violation logs per        facilitate the review of the\nstatement                   Violation Logs      DHS policy, potential access violations          security violation logs and\nsaid Low                                        could go undetected and these access             documentation by the security\n                                                violations could continue. During a disaster     administrators.\n                                                or interruption of service, the restoration of\n                                                the financial system without pertinent audit\n                                                information would be challenging.\n                                                Recommendation:\n                                                CBP follow DHS policy and maintain\n                                                documented evidence of review for security\n                                                violation logs for the duration outlined in\n                                                DHS policy.\n\n\n\n\n                                                             43\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix D\n                                                U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                       Status/\n                 NFR              NFR                                                                    Planned                     Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1          Title                                                              Corrective Actions              Completion\n                                                                                                                                        Date\nHigh however   CBP-IT-08\xc2\xad                      Weakness:\n                                      a. CBP is establishing a project      On Track-\nConsolidated   27           Administrator      Without proper authorization granted, the       plan to implement an                 Completion\nstatement                   Access             risk exists that personnel may gain access to   appropriate solution for proper      Date 2/15/09\nsaid                        Authorization                   administrative capabilities        management of the CBP\nMedium                      Weaknesses         without the need to have that access. This                   administrative\n                                               could lead to a compromise of data and          access. This will include the \n\n                                               system functionality. \n                         possibility of purchasing\n                                               Recommendation:                                         software. The Vendor\xe2\x80\x99s\n                                               A.CBP develop and implement procedures          recommendation may or may\n\n                                               to restrict access to \n                         not effect the resources \n\n                                               administrative capabilities \n                   requirement. b. CBP will also\n                                               B. CBP require documented authorization         develop and implement \n\n                                               request and approval for each person \n          procedures that appropriately \n\n                                               requiring access to the \n                       restrict access to the \n\n                                               administrative capabilities.\n                   administrative capabilities. As\n                                                                                               well as update the mandatory\n                                                                                               recertification process to\n                                                                                               indicate user is a security\n                                                                                               administrator.\n\n\n\n\n                                                             44\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix D \n\n                                                U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                       Status/\n                 NFR              NFR                                                                    Planned                     Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1          Title                                                              Corrective Actions              Completion\n                                                                                                                                        Date\nMedium         CBP-IT-08\xc2\xad   Completion of      Weakness:                                       Access authorization policies         On Track-\n               28                              Without documented authorization, it is         and procedures were developed        Completion\n                            Access             possible that users will obtain access to the   during FY 2008 but were not          Date 3/30/09\n                            Authorization                                                      fully implemented. The\n                            Forms                              , as well as shared drives      policies and procedures will\n                                               and folders, without proper authorization.      be fully implemented on or\n                                               Recommendation:                                 about 3/30/09 .The procedure\n                                               CBP continue efforts to develop a method        requires completion of a\n                                               for tracking and consolidating access                    Form for all\n                                               request forms for the             and                  . The Government\n                                               continue to implement the procedures            Supervisor must complete and\n                                               developed to control        account creation.   sign the form in order to obtain\n                                                                                               new        accounts or change\n                                                                                               an active account. The\n                                                                                               completed forms will be\n                                                                                               retained in a database which\n                                                                                               can be audited.\n\n\n\n\n                                                             45\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                              Appendix D \n\n                                                U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                   Status/\n                 NFR              NFR                                                                  Planned                   Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1          Title                                                            Corrective Actions            Completion\n                                                                                                                                    Date\n               CBP-IT-08\xc2\xad   Completion of      Weakness:                                     CBP/OF reviewed and revised              The\nMedium         29           Government         Without following the standard procedures     the CBP Directive No. 51715\xc2\xad      Responsibility\n                            Employee           for terminating employees from CBP, it is     005A, \xe2\x80\x9cSeparation Clearance              for\n                            Separation         possible that                  will not       procedures and CBP Form 242,      remediation of\n                            Forms              receive notification that an employee\xe2\x80\x99s       and disseminated CBP wide.         this finding is\n                                               system access should be removed, leaving      CBP/OF is conducting semi\xc2\xad            Office of\n                                               accounts active that once belonged to         annual internal reviews to            Finance\n                                               terminated employees.                         ensure CBP Form is properly\n                                               Recommendation:                               completed for all separated\n                                               CBP require managers to consistently          employees. The first review of\n                                               complete the CBP-241 forms that are           the procedures was conducted\n                                               required as set forth in the CBP directives   from October 2007 to April\n                                               and policy.                                   2008. The August 19, 2008\n                                                                                             report was provided January 7,\n                                                                                             2009 and it was determined\n                                                                                             that compliance with the\n                                                                                             separation clearance is not\n                                                                                             being achieved. CBP/OF has\n                                                                                             not determined what corrective\n                                                                                             actions will be taken yet.\n\n\n\n\n                                                             46\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                Appendix D\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                     Status/\n                 NFR              NFR                                                                    Planned                   Scheduled\n Risk Rating                                         Detailed Weakness/ Recommendation\n                Number 1          Title                                                              Corrective Actions            Completion\n                                                                                                                                      Date\nMedium         CBP-IT-08\xc2\xad   Installation of       Weakness:                                    CBP is working to ensure that       On Track-\nhowever,       34           Virus Protection      Without up-to-date antivirus protection on   new and existing workstations      Completion\nConsolidated                on CBP                all CBP workstations, the risk exists that   are added to the CBP               Date 2/28/09\nstatement                   Workstations          malicious code can be introduced to the                 domain which will\nsaid Low                                          network and affect a portion of the CBP-     allow all workstations to be\n                                                  maintained workstations.                     accounted for and updated in\n                                                  Recommendation:                              the appropriate manner. CBP is\n                                                  CBP develop procedures to regularly review   implementing a process to\n                                                  and monitor the workstations that have       ensure that Tivoli Endpoints\n                                                  antivirus protection installed and perform   are on all workstations.\n                                                  inquiries to determine why identified\n                                                  workstations do not have the protection\n                                                  installed and updated.\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                    CBP is investigating processes      On Track-\n               35.1         management            Weak passwords may allow a remote user       to ensure that all database         Completion\n                            weaknesses on         to gain unauthorized access on these         accounts have strong                Date 4/1/09\n                            the      and          databases.                                   passwords. One such process\n                                 application      Recommendation:                              is that for the weak local\n                            servers and           CBP ensure that all database accounts have   account that used        has\n                                                  strong passwords.                            been changed to a more\n                                          )                                                    standardize password that\n                                                                                               meets security standards.\n\n\n\n\n                                                             47\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                   Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                        Status/\n                 NFR              NFR                                                                     Planned                     Scheduled\n Risk Rating                                         Detailed Weakness/ Recommendation\n                Number 1          Title                                                               Corrective Actions              Completion\n                                                                                                                                         Date\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                    CBP formed a working group             On Track-\n               35.2         management            Weak passwords may allow remote user to      to determine what the process          Completion\n                            weaknesses on         gain unauthorized access on these            will be to change the current         Date 12/20/09\n                            the      and          databases.                                   password requirements. CBP\n                                 application      Recommendation:                              submit a                     that\n                            servers and           CBP ensure that all database accounts have   will notify all applications\n                                                  strong passwords.                            utilizing                    that\n                                                                                               passwords will need to be\n                                                                                               strengthened. System owner\n                                                                                               will provide written details of\n                                                                                               appliance and its use for demo\n                                                                                               purposes. If it is determined\n                                                                                               that demo equipment follows\n                                                                                               the DHS\n                                                                                                                , system owner\n                                                                                               will update to <strong>\n                                                                                               password.\n                                                                                                                  \xe2\x80\x93 This server\n                                                                                               has been decommissioned.\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                    CBP changed the                        Completed-\n               35.3         management            Compromised local administrator              patching for the local                  11/18/08\n                            weaknesses on         passwords allow remote users to gain         administrator account.\n                            the      and          unauthorized access on the host.\n                                 application      Recommendation:\n                            servers and           CBP ensure that all local administrator\n                                                  account passwords adhere to DHS password\n                                          )       policy.\n\n\n\n\n                                                             48\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                      Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                           Status/\n                 NFR              NFR                                                                          Planned                   Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                    Corrective Actions            Completion\n                                                                                                                                            Date\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                          CBP has changed the                 Completed\n               35.4         management                   is installed with a set of well-known       passwords as follow: For             1/22/09\n                            weaknesses on         usernames and passwords. If the default                            the passwords\n                            the      and          username and password has not been                 was changed on\n                                 application      changed, an attacker can easily break into a                   and for\n                            servers and           database.\n                                                  Recommendation:\n                                                  CBP change any default usernames and\n                                                  passwords.\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                          CBP non-concurred with the          Completed-\n               35.5         management                   provides a method of calling                finding. Item#5 which deals          12/23/08\n                            weaknesses on         function outside the database by creating          with           , CBP is now\n                            the      and          external procedure servers This feature is         using                        ,\n                                 application      very useful and extends            s               and is requesting a waiver..\n                            servers and           functionality greatly, but if access to send\n                                                  commands to these external procedure\n                                                  servers is not properly restricted,\n                                                  anonymous users can gain control of the\n                                                  operating system.\n                                                  Recommendations:\n                                                  CBP configure the listener used by the\n                                                           to only accept connections from the\n                                                  database by setting the\n                                                  parameter in the                file to restrict\n                                                  access to an Oracle database based on\n                                                  network address.\n\n\n\n\n                                                             49\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                          Status/\n                 NFR              NFR                                                                        Planned                    Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                  Corrective Actions             Completion\n                                                                                                                                           Date\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                       CBP have researched this              On Track-\n               35.6         management                    provides a facility to record the       discrepancy with the vendor          Completion\n                            weaknesses on         actions taken in the database. Recording                   does not agree with       Date 2/28/09\n                            the      and          these actions is necessary in order to detect   the recommendation. The cost,\n                                 application      when an attack occurs and to be able to         storage and performance issues\n                            servers and           analyze the attack after the fact. To enable    would be greater risks to the\n                                                  this feature you must set the                   users than acceptance of this\n                                                  parameter in the              .                 risk. CBP will submit a Risk\n                                                  Recommendation:                                 Acceptance Form and waiver\n                                                  CBP enable auditing.                            for approval.\n\n                                                                                                  CBP has decided to accept the\n                                                                                                  risk because the risk identified\n                                                                                                  is already being addressed in\n                                                                                                  an alternative manner by the\n                                                                                                        system.\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                       CBP implemented SAP                   Completed\n               35.7         management            The                       parameter allows      recommendation into                    1/22/09\n                            weaknesses on         the database to trust that the client has\n                            the      and          properly authenticated the user and is who\n                                 application      he/she claims to be. If an attacker can\n                            servers and           identify a user that is configured to use\n                                                  operating system authentication, the\n                                                  attacker will be able to connect to the\n                                                  account without using providing\n                                                  authentication credentials.\n                                                  Recommendation:\n                                                  CBP disable client-side authentication.\n\n\n\n                                                             50\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                          Status/\n                 NFR              NFR                                                                       Planned                     Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                 Corrective Actions              Completion\n                                                                                                                                           Date\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                       Upon further research with the        On Track-\n               35.8         management                   provides a facility to record the        vendor                 does not      Completion\n                            weaknesses on         actions taken in the database. Recording        concur with the                      Date 2/28/09\n                            the      and          these actions is necessary in order to detect   recommendation.\n                                 application      when an attack occurs and to be able to              recommends that this\n                            servers and           analyze the attack after the fact. Recording    resolution not be implemented\n                                                  when and from where users are connecting        as cost, storage, and\n                                          )       or attempting to connect is on the most         performance issues would be\n                                                  important features in auditing.                 higher risks to the users than\n                                                  Recommendation:                                 the acceptance of this risk.\n                                                  CBP configure the database to audit both\n                                                  successful and failed connections for all       CBP has decided to accept the\n                                                  database users.                                 risk because the risk identified\n                                                                                                  by the auditor is already being\n                                                                                                  addressed in an alternative\n                                                                                                  manner by the         system.\n                                                                                                  Connection is controlled by the\n                                                                                                        application and       has\n                                                                                                  extensive functions for logging\n                                                                                                  user activities and changes to\n                                                                                                  the system, and users must\n                                                                                                  connect through the\n                                                                                                  system to access any data in its\n                                                                                                          database. CBP will\n                                                                                                  submit a Risk Acceptance\n                                                                                                  Form and waiver for approval.\n\n\n\n\n                                                             51\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                         Status/\n                 NFR              NFR                                                                       Planned                    Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                 Corrective Actions             Completion\n                                                                                                                                          Date\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                       CBP initially concurred with         On Track-\n               35.9         management            The                         parameter defines   the recommendation, however         Completion\n                            weaknesses on         the maximum lifetime for passwords.             after further researching the       Date 2/28/09\n                            the      and          Changing passwords on a regular basis           issue with the vendor, CBP\n                                 application      alleviates the threat that passwords have       discovered that the proposed\n                            servers and           been compromised. If this parameter is set      recommendation does not\n                                                  too high or not set at all, old passwords may   follow the vendor standards.\n                                                  be compromised and remain in use for an\n                                                  extended period of time.                        CBP has decided to accept the\n                                                  Recommendation:                                 risked identified by the\n                                                  CBP set password life time parameter.           Auditor, and will submit a Risk\n                                                                                                  Acceptance Form and waiver\n                                                                                                  for approval.\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                       For the                              On Track-\n               35.10        management            Passwords need to be changed frequently,                         the                Completion\n                            weaknesses on         as there are many ways to have a password       recommended account changes         Date 3/31/09\n                            the      and          stolen, sniffed and viewed.                     will be implemented into\n                                 application      Recommendation:                                 production by March 31st,\n                            servers and           CBP ensure that passwords are reset as          2009.\n                                                  mandated by DHS policy.\n\n\n\n\n                                                             52\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                   Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                        Status/\n                 NFR              NFR                                                                        Planned                  Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                  Corrective Actions           Completion\n                                                                                                                                         Date\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                        CBP implemented Change             Completed- \n\n               35.11        management            Obsolete virus definition files may allow an     Request on 10/14/2008 to            11/17/08 \n\n                            weaknesses on         infection of the remote host by a virus or a     enable automated\n                            the      and          worm.                                            Signature updates.\n                                 application      Recommendation:                                  automatically connects to a\n                            servers and           CBP ensure that all virus definition files are   CBP server hosting the latest\n                                                  up-to-date.                                          signatures and applies\n                                                                                                   them to the appropriate\n                                                                                                   systems.\n\n\n\n\n                                                             53\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                 Appendix D\n                                               U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                       September 30, 2008\n\n                                                                                                                                      Status/\n                 NFR              NFR                                                                   Planned                     Scheduled\n Risk Rating                                      Detailed Weakness/ Recommendation\n                Number 1          Title                                                             Corrective Actions              Completion\n                                                                                                                                       Date\nHigh           CBP-IT-08\xc2\xad   Configuration      Weakness:                                     Neither system addressed in            Completed- \n\n               35.12        management                                      is no longer     this finding is running                 12/18/08 \n\n                            weaknesses on      supported by             therefore is                          Systems are\n                            the      and       vulnerable to multiple remotely exploitable   running an embedded\n                                 application   vulnerabilities which may allow an attacker   operating system distributed by\n                            servers and        or a worm to take the complete control of            on their storage\n                            General Support    the remote system (                           appliance. As such these\n                            Systems (GSS)                                                    systems are not susceptible to\n                                               Recommendation:\n                              Windows vulnerabilities\n                                               CBP upgrade operating system. \n\n\n                                                                                             Two                  were\n                                                                                             reported for the\n                                                                                                                       in\n                                                                                             Aug 2005 (data encompasses\n                                                                                             2003 to 2008). The\n                                                                                                            reportedly affect\n                                                                                             versions                   prior\n                                                                                             to versions                     ,\n                                                                                             and          . CBP\xe2\x80\x99s devices\n                                                                                             are                     thus\n                                                                                             not susceptible.\n\n\n\n\n                                                             54\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                     Status/\n                 NFR              NFR                                                                   Planned                    Scheduled\n Risk Rating                                         Detailed Weakness/ Recommendation\n                Number 1          Title                                                             Corrective Actions             Completion\n                                                                                                                                      Date\nHigh           CBP-IT-08\xc2\xad   Configuration         Weakness:                                   The             account is           On Track-\n               35.13        management            Obsolete passwords increase the potential   required for mainframe access       Completion\n                            weaknesses on         for unauthorized access on the host.        to                                  Date 5/30/09\n                            the      and          Recommendation:                             to      Treasury Files for\n                                 application      CBP ensure all password parameters meet     processing. This process will\n                            servers and           DHS requirements.                           be changing to use\n                                                                                                              in early 2009\n                                                                                              and the             account\n                                                                                              will be eliminated. In the\n                                                                                              interim CBP is testing a\n                                                                                              method for locking down the\n                                                                                                          account so that\n                                                                                              only the             can log in\n                                                                                              with this account and only\n                                                                                              perform the       process. CBP\n                                                                                              is developing and\n                                                                                              implementing a policy for\n                                                                                              changing root and\n                                                                                              accounts password. Request\n                                                                                              waiver for user \xe2\x80\x9c        \xe2\x80\x9d from\n                                                                                              DHS. Implement script\n                                                                                              developed to change passwords\n                                                                                              for         account on all\n                                                                                              servers.\n\n\n\n\n                                                             55\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                          Status/\n                 NFR              NFR                                                                       Planned                     Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                 Corrective Actions              Completion\n                                                                                                                                           Date\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                       CBP upgrade to          version       On Track-\n               36.1         management            Multiple high risk vulnerabilities have been                       and apply          Completion\n                            weaknesses on         addressed in the released                                      Patch in              Date 12/31/09\n                            the      and                                . Exploitation of these                           on\n                                 application      vulnerabilities will allow an attacker to       1/18/09. For\n                            servers and           completely compromise the database.                            , no action\n                                                  Recommendation:                                 required as       is phasing out\n                                                  CBP apply current                               the application and no longer\n                                                                                                  support upgrades, including\n                                                                                                         Upgrades and Patches.\n                                                                                                  CBP is retiring this application\n                                                                                                  by 12/31/2009.\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                             now has an automated            Completed-\n               36.2         management            An attacker may use these vulnerabilities to    process for patch updates based        11/21/08\n                            weaknesses on         execute arbitrary commands on the remote        on                     Update\n                            the      and          host.                                           Services           Updates are\n                                 application      Recommendation:                                 automatically pulled from a\n                            servers and           CBP apply vendor supplied patches.              CBP server as they become\n                                                                                                  available and applied to all\n                                                                                                                  systems.\n\n\n\n\n                                                             56\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                          Status/\n                 NFR              NFR                                                                        Planned                    Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                  Corrective Actions             Completion\n                                                                                                                                           Date\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                        For\n               36.3         management            Allowing database users to access operating      revoking execute of SYS              Completed\n                            weaknesses on         system files may result in security being                        from the              1/22/09\n                            the      and          breached. By default, permissions to             PUBLIC Role is in Production\n                                 application      execute this function are granted to the\n                            servers and           public role, allowing all users to execute the\n                                                  functions of in the package.\n                                                  Recommendations:\n                                                  CBP revoke the privilege to execute the\n                                                  sys.utl_file package from the public role.\n                                                  Grant privileges to execute the package only\n                                                  to those specific accounts that need to\n                                                  execute the package.\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                        Upgrade to the         latest        On Track-\n               36.5         management            An attacker may be able to execute arbitrary     version.                             Completion\n                            weaknesses on         code using malicious      file.                                                      Date 12/31/09\n                            the      and          Recommendation:                                                , Adobe Reader\n                                 application      CBP upgrade to Adobe Reader 6.0.6/ 7.0.9/        will be upgraded. For\n                            servers and           8.0 or later.\n                                                                                                                 and\n\n                                                                                                                        is phasing\n                                                                                                   out the application and no\n                                                                                                   longer support upgrades,\n                                                                                                   including         Reader. The\n                                                                                                   application will not operate if\n                                                                                                           Reader is upgraded.\n\n\n\n\n                                                             57\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                       Status/\n                 NFR              NFR                                                                      Planned                   Scheduled\n Risk Rating                                         Detailed Weakness/ Recommendation\n                Number 1          Title                                                                Corrective Actions            Completion\n                                                                                                                                        Date\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                      Upgrade to the                       Completed\n               36.6         management            An attacker may be able to execute arbitrary                                         2/18/09\n                            weaknesses on         code on the host.\n                            the      and          Recommendation:                                              and the\n                               P application      CBP update WinZip software.\n                            servers and                                                                                   will\n                                                                                                 be upgraded by 2/15/09. For\n                                                                                                                wil be upgraded\n                                                                                                 on the Production\n\n                                                                                                               by 2/15/09.\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                      CBP removed                         Completed-\n               36.7         management            An attacker may be able to execute arbitrary   Software from all identified         11/17/08\n                            weaknesses on         code on the host. Successful exploitation      workstations.\n                            the      and          allows an attacker to execute arbitrary code\n                                 application      on the affected host subject to the user\xe2\x80\x99s\n                            servers and           privilege.\n                                                  Recommendation:\n                                                  CBP update             software.\n\n\n\n\n                                                             58\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                         Status/\n                 NFR              NFR                                                                       Planned                    Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                 Corrective Actions             Completion\n                                                                                                                                          Date\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                       CBP is planning on upgrading         Completed\n               36.8         management            The       may allow an untrusted applet to      to the latest   version.              2/18/09\n                            weaknesses on         elevate its privileges to, for example, read\n                            the      and          or write local files or to execute local\n                                 application      applications subject to the privileges of the\n                            servers and           user running the applet. Also, another set of\n                                                  vulnerabilities may allow an untrusted\n                                                  applet to access data in other applets.\n                                                  Recommendation:\n                                                  CBP upgrade to                      and\n\n                                                                    or later and remove if\n                                                  necessary any affected versions.\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                       For                     has          Completed\n               36.9         management            By convincing a user to visit a site with       been upgraded on the                  1/22/09\n                            weaknesses on         specially-crafted                    file, an\n                            the      and          attacker may be able to execute arbitrary\n                                 application      code on the affected host or cause the web\n                            servers and           browser to crash.                                               For the Project\n                                                  Recommendation:                                 Shared Drive\n                                                  CBP upgrade to                                                   Flash Player\n                                                                                         or       was upgraded.\n                                                  later.\n\n\n\n\n                                                             59\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                         Status/\n                 NFR              NFR                                                                        Planned                   Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                  Corrective Actions            Completion\n                                                                                                                                          Date\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                        CBP has upgraded to the latest      Completed\n               36.10        management            An attacker may use an untrusted                    version.                          1/22/09\n                            weaknesses on         application or applet to elevate its privilege\n                            the      and          by granting itself permission to read and\n                                 application      write local files or execute local\n                            servers and           applications subject to the privileges of the\n                                                  user running the application or applet.\n                                                  Recommendation:\n                                                  CBP upgrade to\n                                                                                   or later and\n                                                  remove any affected versions.\nHigh           CBP-IT-08\xc2\xad   Patch                 Weakness:                                        CBP is planning on upgrading        Completed\n               36.11        management            An attacker may be able to exploit this          to the latest   version.             2/15/09\n                            weaknesses on         vulnerability by creating a malicious\n                            the      and                 to compromise the computer. In\n                                 application      addition, a denial of service vulnerability is\n                            servers and           present in the remote version of the       .\n                                                  An attacker could exploit it by creating an\n                                                  applet which misuses the serialization.\n                                                  Recommendation:\n                                                  CBP upgrade to\n\n\n\n\n                                                             60\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix D\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                         Status/\n                 NFR              NFR                                                                      Planned                     Scheduled\n Risk Rating                                        Detailed Weakness/ Recommendation\n                Number 1          Title                                                                Corrective Actions              Completion\n                                                                                                                                          Date\nMedium         CBP-IT-08\xc2\xad   Security            Weakness:                                       The procedures for reviewing           Completed-\nhowever        37           Violation           By not having formal procedures that            of the mainframe security logs          11/21/08\nConsolidated                Review Process      document the current review process for         existed and have been\nstatement                                       security violations, the network security       formalized approved,\nsaid Low                                        specialist could leave their position and       published. And implemented\n                                                their replacement would not be able to\n                                                perform the tasks without formal\n                                                procedures, thereby increasing the risk of\n                                                undetected security violations.\n                                                Recommendation:\n                                                CBP create formal procedures to document\n                                                the mainframe security violation review\n                                                process.\nMedium         CBP-IT-08\xc2\xad   Process for         Weakness:                                       The               Information          Completed-\nhowever        38           reviewing           Without formal procedures in place, the         Systems Security Officer(s)             8/17/08\nConsolidated                                    review of             audit and                 have established a\nstatement                   Audit and                       may not be performed in a           folder to act as the central\nsaid Low                                        consistent, uniform manner, which may           repository for housing these\n                                                ultimately lead to potential security           procedures. The access to this\n                                                violations going undetected.                    repository is limited strictly to\n                                                Recommendation:                                 those who need to know.\n                                                CBP create formal procedures to document\n                                                the review process for              audit and\n                                                                   .\n\n\n\n\n                                                             61\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                Appendix D \n\n                                                U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                     Status/\n                 NFR              NFR                                                                   Planned                    Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1          Title                                                             Corrective Actions             Completion\n                                                                                                                                      Date\nMedium         CBP-IT-08\xc2\xad   Password           Weakness:                                      CBP has established and              Completed-\nhowever        39           configuration      Without password parameters that are           implemented a new password            9/02/08\nConsolidated                weakness for       compliant with the organizations policies,     rules policy in accordance with\nstatement                                      there is an increased risk that unauthorized   DHS Policy.\nsaid Low                                       users may be able to guess passwords and\n                                               gain unauthorized access.\n                                               Recommendation:\n                                               CBP follow DHS policy and improve\n                                               password complexity by including special\n                                               characters for the\n                                                              application.\n\n\n\n\n                                                             62\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix D\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                       Status/\n                 NFR              NFR                                                                     Planned                    Scheduled\n Risk Rating                                        Detailed Weakness/ Recommendation\n                Number 1          Title                                                               Corrective Actions             Completion\n                                                                                                                                        Date\nHigh however   CBP-IT-08\xc2\xad   ISSM Approval       Weakness:                                       CBP has notified the programs        On Track-\nConsolidated   40           of                  Not having emergency and temporary              that the CISO must approve list     Completion\nstatement                   Emergency and       access approved by the Information              of supervisors who can              Date 4/30/09\nsaid Low                    Temporary           Systems Security Manager (ISSM), CBP is         approve emergency access as\n                            Access              not in compliance with DHS policy and is        well as approving the current\n                            Authorizations      presented with the risk that excessive          list of people with access and\n                                                emergency access to                             their profiles. For all CFO\n                                                                      may be granted.           Designated Financial Systems\n                                                Recommendation:                                 the CISO was provided lists of\n                                                A. CBP adjust CBP-level and          level      all emergency access profiles,\n                                                policies to require the ISSM to approve the     all developers who have\n                                                emergency and temporary access                  emergency access, and all\n                                                authorizations prior to access being granted.   supervisors authorized to\n                                                B. CBP require documented supervisory           approve emergency access.\n                                                approval form the ISSM each time a user         CISO sent out delegation\n                                                requires emergency access abilities.            letters to the owners of the\n                                                                                                financial systems delegating\n                                                                                                authority to specific\n                                                                                                supervisors so they can\n                                                                                                approve emergency access\n                                                                                                requests all CFO Designated\n                                                                                                Financial Systems for 24 hours\n                                                                                                at a time, no more than 4 times\n                                                                                                a month per person, for one\n                                                                                                year. The CISO will re-certify\n                                                                                                the list of authorized\n                                                                                                supervisors every six months.\n\n\n\n\n                                                             63\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix D \n\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                       Status/\n                 NFR              NFR                                                                      Planned                   Scheduled\n Risk Rating                                        Detailed Weakness/ Recommendation\n                Number 1          Title                                                                Corrective Actions            Completion\n                                                                                                                                        Date\n               CBP-IT-08\xc2\xad   Weaknesses in       Weakness:                                       A. CBP has implemented the           Completed \n\nMedium         41           the Process of      By not documenting up-to-date policies for      approved policy directive             1/22/09 \n\n                            Separating CBP      the separation of CBP contractors, the risk     requiring use of CTS CBP-\n                            Contractors         exists that contractors will not be separated   wide has been distributed by\n                                                according to proper policies as outlines by     OF and can be found on the\n                                                DHS. Also, inconsistent completion of the       workforce management web\n                                                CBP-242 forms leads to the increased risk       page.\n                                                that a separating contractor system access\n                                                will not be deactivated.                        B CBP has implemented the\n                                                Recommendation:\n                                                A. CBP document an up-to-date review of              ) to facilitate the timely\n                                                this document and make modifications as         removal of contractor logical\n                                                needed based on the new operating               and physical access accounts\n                                                environment for CBP as apart of DHS.            upon their separation from a\n                                                B. CBP require the consistent and accurate      CBP contract.\n                                                completion of CBP-242 forms for all\n                                                separating contractors.\n\n\n\n\n                                                             64\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                             Appendix D \n\n                                               U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                       September 30, 2008\n\n                                                                                                                                  Status/\n                 NFR              NFR                                                                   Planned                 Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1          Title                                                             Corrective Actions          Completion\n                                                                                                                                   Date\nNot Rated      CBP-IT-08\xc2\xad   Formal             Weakness:                                      Stewardship of the               This NFR\n               42           agreement not in   By not having a complete, signed and up-to                  has been\n                            place for CBP\xe2\x80\x99s    date agreement with the business continuity    transferred from CBP to DHS.\n                                                                                                                                  was\n                            use of      s as   facility provider, CBP is at risk of not       CBP has provided its            transferred\n                            Business           having an adequate facility in place to        requirements to DHS. DHS is       to DHS\n                            Continuity         service as a business continuity facility in   responsible for establishing\n                            facility           the event the                         is       and managing the agreements\n                                               rendered inoperable and operations must be     with the US Navy.\n                                               moved to an alternate site.\n                                               Recommendation:\n                                               CBP communicate with DHS and the US\n                                               Navy to document and Memorandum of\n                                               Understanding outlining CBP\xe2\x80\x99s specific\n                                               requirements for their business continuity\n                                               facility and ensure that the agreement is\n                                               complete, signed and up-to-date.\n\n\n\n\n                                                             65\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                 Appendix D\n                                               U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                       September 30, 2008\n\n                                                                                                                                      Status/\n                 NFR              NFR                                                                   Planned                     Scheduled\n Risk Rating                                      Detailed Weakness/ Recommendation\n                Number 1          Title                                                             Corrective Actions              Completion\n                                                                                                                                       Date\nHigh however   CBP-IT-08\xc2\xad   Inadequate        Weakness:                                       Through the                           On Track-\nConsolidated   43           Resources at      Inadequate hardware in place for business                                            Completion\nstatement                           for       continuity testing presents CBP the risk that                  initiative, the       Date 7/30/09\nsaid Medium                 Business          they are unable to fully test business          continuity posture of CBP will\n                            Continuity        continuity plan and do not have assurance       be greatly enhanced at\n                            Testing           that the plan is appropriately designed and     to include infrastructure\n                                              documented.                                     upgrades and software\n                                              Recommendation:                                 licensing. The new\n                                              CBP allocate the appropriate hardware to        enhancements will bring the\n                                                      , allowing system availability to       current          environment up\n                                              fully test the business continuity plan to      to a comparable state to that of\n                                              ensure that          has the capability to      the production environment at\n                                              support CBP in the event that the                          . The deficiencies\n                                                                    is rendered unavailable   identified are expected to be\n                                              for production.                                 addressed as part of the\n                                                                                              program and CBP\n                                                                                              infrastructure initiatives over\n                                                                                              the next 12 months.\n\n\n\n\n                                                             66\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix D\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                         Status/\n                 NFR              NFR                                                                     Planned                      Scheduled\n Risk Rating                                        Detailed Weakness/ Recommendation\n                Number 1          Title                                                               Corrective Actions               Completion\n                                                                                                                                          Date\nMedium         CBP-IT-08\xc2\xad   Completion of       Weakness:                                       CBP/Procurement made                   Completed\nhowever        44           Non-Disclosure      By not having contractors sign non\xc2\xad             procedural changes to the               1/28/09\nConsolidated                Agreements for      disclosure agreements, the risk exists that     COTR Appointment Memo\nstatement                   US CBP              individuals may not be aware of their           outlining the responsibilities of\nsaid Low                    Contractors         requirements in protecting sensitive DHS        the COTR. The COTR is\n                                                and CBP information.                            responsible for ensuring that all\n                                                Recommendation:                                 the contractor complete the\n                                                CBP enforce DHS requirement that a non-         DHS Form 11000-6 Non\xc2\xad\n                                                disclosure agreement be signed by all           Disclosure Agreement pursuant\n                                                contractors in a moderate and high risk level   to DHS Management Directive\n                                                position to ensure that they are aware of       11042.1\n                                                their responsibilities in protecting the\n                                                confidentiality of DHS and CBP data.\nMedium         CBP-IT-08\xc2\xad   Log                 Weakness:                                       Corrective action was taken on         Completed-\nhowever        45           configuration       Without correct configuration of the logs to    August 13 2008 to properly              10/02/08\nConsolidated                weakness for        capture appropriate data, actual violations     configure              audit and\nstatement                                       could occur and go undetected.                                      to capture\nsaid Low                                        Recommendation:                                 appropriate data for the\n                                                CBP properly configure                                             . Evidence\n                                                                        to capture              was provided on 10/02/08.\n                                                appropriate data for the\n                                                                            system.\n\n\n\n\n                                                             67\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                   Appendix D\n                                               U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                       September 30, 2008\n\n                                                                                                                                        Status/\n                 NFR               NFR                                                                    Planned                     Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1           Title                                                              Corrective Actions              Completion\n                                                                                                                                         Date\nMedium         CBP-IT-08\xc2\xad   Review of          Weakness:                                        CBP has developed and                 Completed-\nhowever        46                              By not maintaining               audit and       implemented formal                     9/18/08\nConsolidated                Audit and                              per DHS policy,              procedures for the review\nstatement                                      potential access violations for those specific   process of\nsaid Low                    Logs               dates could go undetected and these access                                 . The\n                                               violations could continue.                       Mainframe ISSO(s) established\n                                               Recommendation:                                  a             folder for housing\n                                               CBP maintain               audit and             these procedures and access is\n                                                           per DHS policy.                      limited to those with a need to\n                                                                                                know.\nMedium         CBP-IT-08\xc2\xad   Rules of           Weakness:                                        CBP has included the DHS              On Track-\nhowever        47           behavior are not   Without signed rules of behavior, CBP            Rules of Behavior in all of its      Completion\nConsolidated                signed before      management has no formal recourse for            mandatory online security            Date 5/01/09\nstatement                   gaining systems    holding individuals accountable for their        training courses and its annual\nsaid Low                    access             actions on CBP information systems.              security awareness refresher\n                                               Recommendation:                                  courses. However, formal\n                                               CBP require all CBP personnel (employees         acknowledgement has not been\n                                               and contractors) to sign rules of behavior       required. The Chief\n                                               prior to being granted any system access.        Information Security Officer is\n                                               For personnel that already have system           working with all CBP offices\n                                               access, CBP should prioritize having these       to implement a formal\n                                               individual sign rules of behavior to maintain    acknowledgment process\n                                               their system access.                             nationally.\n\n\n\n\n                                                             68\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                   Appendix D\n                                                U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                        Status/\n                 NFR              NFR                                                                     Planned                     Scheduled\n Risk Rating                                       Detailed Weakness/ Recommendation\n                Number 1          Title                                                               Corrective Actions              Completion\n                                                                                                                                         Date\nMedium         CBP-IT-08\xc2\xad        Security      Weakness:                                        The       Audit Logs                  On Track-\nhowever        48\n          Audit Logs         By not having detailed procedures that \n         Procedures will be modified to \n     Completion\nConsolidated                Procedures         document the                                     include the evidence of review,      Date 6/15/09\nstatement                   Weakness                                               review       sampling methodology and\nsaid Low                                       process, the       Information Systems           frequency of the review.\n                                               Security Officer could leave their position\n                                               and replacement would not be able to\n                                               perform the tasks without detailed\n                                               procedures.\n                                               Recommendation:\n                                               CBP create detailed procedures that\n                                               document the review process for\n                                               security audit logs which includes the\n                                               documented evidence of review.\nMedium         CBP-IT-08\xc2\xad   Weak Initial       Weakness:                                        The handbook as well as the           On Track-\n               49           Password           By establishing a weak initial password, the     password will be changed to          Completion\n                            Granted for New    risk exists that a new account\xe2\x80\x99s password        meet DHS guidelines.                 Date 3/15/09\n                                 Accounts      will be guessed by someone other than the\n                                               owner of the account and the account will\n                                               be used inappropriately.\n                                               Recommendation:\n                                               CBP update the\n                                                        Security Administrator Handbook to\n                                               require a strong password that is in\n                                               compliance with DHS and CBP password\n                                               policies to be set as the initial password for\n                                               all new account users.\n\n\n\n\n                                                             69\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                              Appendix D \n\n                                               U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                       September 30, 2008\n\n                                                                                                                                   Status/\n                 NFR              NFR                                                               Planned                      Scheduled\n Risk Rating                                      Detailed Weakness/ Recommendation\n                Number 1          Title                                                         Corrective Actions               Completion\n                                                                                                                                    Date\nLow            CBP-IT-08\xc2\xad   Inadequate        Weakness:                                   The method of tracking                 Completed- \n\n               50           Tracking of       By not consistently monitoring completion   completion of security training         09/30/08 \n\n                            Security          of security awareness training completion   was inadequate to assure\n                            Awareness         for CBP personnel, the risk exist that      efficient management and deny\n                            Completion        persons who have not completed security     access to those who did not\n                                              awareness training will maintain systems    complete the training. CBP\n                                              access.                                     created a report that reads the\n                                              Recommendation:                             CBP\n                                              CBP develop a method for determining                       and searches for\n                                              individuals who have and have not           all current, active employees\n                                              completed security awareness so that they   (government and contractor)\n                                              can actively work towards 100%              and runs that list against the\n                                              compliance with the DHS requirement, that         . The report lists who has\n                                              all individuals with systems access         not taken specific classes or\n                                              complete annual security awareness          tests at the time of report\n                                              training.                                   generation. CBP created an on-\n                                                                                          demand dashboard\n                                                                                          functionality (           screen)\n                                                                                          that is available to OIT to run\n                                                                                          these reports. This will enable\n                                                                                          the user to execute the report as\n                                                                                          needed.\n\n\n\n\n                                                             70\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                               Appendix D \n\n                                               U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                       September 30, 2008\n\n                                                                                                                                    Status/\n                 NFR              NFR                                                                    Planned                  Scheduled\n Risk Rating                                      Detailed Weakness/ Recommendation\n                Number 1          Title                                                              Corrective Actions           Completion\n                                                                                                                                     Date\nLow            CBP-IT-08\xc2\xad   No Document       Weakness:                                        Corrective actions have been       Completed-\n               51                 Hardware    Without formally documented maintenance          completed. UNIX hardware            11/17/08\n                            Maintenance       procedures for the                               Maintenance Procedures have\n                            Procedures                                     environment,        been documented and are being\n                                              the risk exists that      hardware will not      followed.\n                                              be maintained in a consistent manner, which\n                                              would lead to the risk that hardware will fail\n                                              and cause system availability interruptions.\n                                              Recommendation:\n                                              CBP document their           hardware\n                                              maintenance procedures to ensure a\n                                              consistent application of maintenance\n                                              methodologies for the          environment.\n\n\n\n\n                                                             71\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                               Appendix D \n\n                                               U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                       September 30, 2008\n\n                                                                                                                                    Status/\n                 NFR              NFR                                                                  Planned                    Scheduled\n Risk Rating                                      Detailed Weakness/ Recommendation\n                Number 1          Title                                                            Corrective Actions             Completion\n                                                                                                                                     Date\nLow            CBP-IT-08\xc2\xad   Screensavers are   Weakness:                                     CBP reviewing current policy         On Track-\n               52           not                By not configuring screensavers to            on screensavers and vet             Completion\n                            appropriately      automatically activate after 5 minutes of     through all CBP ACs to              Date 4/30/09\n                            configures on      inactivity, the risk exists that unattended   determine if an exception is\n                            the                systems will be used by individuals other     necessary. An exception was\n                                               than the one who is logged into the           determined to be necessary,\n                                               unattended system.                            draft exception request to\n                                               Recommendation:                               increase time out for\n                                               CBP determine a method for appropriately      screensaver activation from 5\n                                               applying CBP and DHS policy requiring         minutes to 15 minutes. CBP\n                                               automatically-activated password-protected    obtained signature on\n                                               screensavers after a period of activity.      exception. This solution will\n                                                                                             also disable the function\n                                                                                             whereby any individual could\n                                                                                             change the length of activation\n                                                                                             time on their screensavers. We\n                                                                                             estimate this process to take\n                                                                                             around four months.\n\n\n\n\n                                                             72\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix D \n\n                                                   U.S. Customs and Border Protection\n                                               Information Technology Management Letter\n                                                           September 30, 2008\n\n                                                                                                                                         Status/\n                 NFR              NFR                                                                       Planned                    Scheduled\n Risk Rating                                          Detailed Weakness/ Recommendation\n                Number 1          Title                                                                 Corrective Actions             Completion\n                                                                                                                                          Date\nLow            CBP-IT-08\xc2\xad   Out of Date and       Weakness:                                       The handbook is in the process       On Track-\n               53           Inaccurate            By maintaining an out of date                   of being updated and approved       Completion\n                            Security                                           Security           will be completed by                Date 3/15/09\n                            Administrator         Administrators Handbook, the risk exists        February15, 2009.\n                            Handbook              that Security Administrators will improperly\n                                                  perform their duties or tasks that are not in\n                                                  compliance with DHS and CBP policies.\n                                                  Recommendation:\n                                                  CBP conduct a full review of the\n                                                  Security Administrators Handbook needs to\n                                                  be performed and updates made to the\n                                                  document that reflects the current operating\n                                                  environment. The review should be\n                                                  documented and the Handbook should\n                                                  include a change log as evidence of the\n                                                  updates that were made.\n               CBP-IT-08\xc2\xad        Access           Weakness:                                       CBP is establishing and              On Track-\nMedium         54           Control Policies      Without formally documented access              implementing policies and           Completion\n                            and Procedures        control policies and procedures and             procedures for        access        Date 8/31/09\n                            Weaknesses            implementation of these procedures, the risk    control.       will implement a\n                                                  exists that access to                           new automated process for\n                                                                        functionality and data    recertification every six\n                                                  will not be consistently controlled at the      months for all        users,\n                                                  various ports where it is used.                 document a formal process for\n                                                  Recommendation:                                 the creation of       portal\n                                                  CBP document and implement policies and         users and configure to lockout\n                                                  procedures for        access control.           user\xe2\x80\x99s account after 45 days of\n                                                                                                  inactivity.\n\n\n\n                                                             73\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                                                                                                                                 Appendix D \n\n                                                 U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                         September 30, 2008\n\n                                                                                                                                      Status/\n                 NFR              NFR                                                                    Planned                    Scheduled\n Risk Rating                                        Detailed Weakness/ Recommendation\n                Number 1          Title                                                              Corrective Actions             Completion\n                                                                                                                                       Date\nMedium         CBP-IT-08\xc2\xad   Consistency in      Weakness:                                      CBP procured and installing          On Track-\n               55           Creation of         By not controlling the way in which            third party software tool (e.g.     Completion\n                                 Accounts                                                              or equivalent) to           Date 5/30/09\n                            and                                    accounts are created, the   support              access\n                            Administrator       risk exists that accounts will be created in   control. Contact entities other\n                            Accounts            an inappropriate and unauthorized manner.      than ENTS Field Support who\n                                                Recommendation:                                granted               and\n                                                CBP limit the organization that can create     remind them of existing\n                                                      accounts, administrator accounts and     procedures that requires\n                                                require any accounts created to be created     coordination with Field\n                                                by a singular organization.                    Support and completion of the\n                                                                                               standard        access request\n                                                                                               forms for any individuals with\n                                                                                               access that has not been\n                                                                                               documented with ENTS Field\n                                                                                               Support. Using the software\n                                                                                               tool procured, produce periodic\n                                                                                               reports to determine if\n                                                                                               accesses are being granted in\n                                                                                               compliance with the\n                                                                                               requirement for centralized\n                                                                                               documentation.\n\n\n\n\n                                                             74\n                    Information Technology Management Letter for the FY 2008 CBP Financial Statement Audit\n\x0c                            U.S. Customs and Border Protection\n                        Information Technology Management Letter\n                                    September 30, 2008\n\n                Report Distribution\n\n                Department of Homeland Security\n\n                Secretary\n                Deputy Secretary\n                Chief of Staff for Operations\n                Chief of Staff for Policy\n                Acting General Counsel\n                Executive Secretariat\n                Under Secretary, Management\n                Commissioner, CBP\n                DHS Chief Information Officer\n                DHS Chief Financial Officer\n                Chief Financial Officer, CBP\n                Chief Information Officer, CBP\n                DHS Chief Information Security Officer\n                Assistant Secretary, Policy\n                Assistant Secretary for Public Affair\n                Assistant Secretary for Office of Legislative Affairs\n                DHS GAO OIG Audit Liaison\n                Chief Information Officer, Audit Liaison\n                CBP Audit Liaison\n\n                Office of Management and Budget\n\n                Chief, Homeland Security Branch\n                DHS OIG Budget Examiner\n\n                Congress\n\n                Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                                         75\n\nInformation Technology Management Letter for the FY 2008 CBP Financial Statement Audit \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'